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CONFIDENTIALITY OF HEALTH INFORMATION 


TUESDAY, JULY 20, 1999 

House of Representatives, 

Committee on Ways and Means, 

Subcommittee on Health, 

Washington, DC. 

The Subcommittee met, pursuant to call, at 3:20 p.m., in room 
1100, Longworth House Office Building, Hon. Bill Thomas (Chair- 
man of the Subcommittee) presiding. 

[The advisories announcing the hearing follow:] 


( 1 ) 



2 


ADVISORY 

FROM THE COMMITTEE ON WAYS AND MEANS 

SUBCOMMITTEE ON HEALTH 

FOR IMMEDIATE RELEASE CONTACT: (202) 225-3943 

July 13, 1999 
No. HI^8 


Thomas Announces Hearing on 
Confidentiality of Health Information 

Congressman Bill Thomas (R-CA), Chairman, Subcommittee on Health of the 
Committee on Ways and Means, today announced that the Subcommittee will hold 
a hearing on proposals to protect the confidentiality of patients’ health care informa- 
tion. The hearing will take place on Tuesday, July 20, 1999, in the main Committee 
hearing room, 1100 Longworth House Office Building, beginning at 2:00 p.m. 

In view of the limited time available to hear witnesses, oral testimony at this 
hearing will be from invited witnesses only. However, any individual or organization 
not scheduled for an oral appearance may submit a written statement for consider- 
ation by the Committee and for inclusion in the printed record of the hearing. 

BACKGROUND: 

Section 264 of the Health Insurance Portability and Accountability Act of 1996 
(HIPAA) (P.L. 104-191) required the Secretary of Health and Human Services to 
develop policy recommendations with respect to the confidentiality of health infor- 
mation by August 1997. Specifically, the HIPAA mandate required that this new 
policy be designed to protect the privacy of personal health information that is 
transmitted electronically, in conjunction with one of the standardized health trans- 
actions established by HIPAA’s administrative simplification provisions. Secretary 
Shalala submitted these recommendations to Congress in September of 1997. Under 
HIPAA, Congress has until August 21, 1999, to enact a privacy law. If Congress 
fails to enact a medical privacy law, the Secretary is then required to issue regula- 
tions within six months. The law provides that, if regulations are issued, they will 
not supercede stricter State privacy laws. The Subcommittee began its exploration 
of this issue with a hearing on March 24, 1998. At that meeting. Subcommittee 
members heard from a variety of private witnesses, as well as Dr. Don Detmer, then 
Chairman of the National Committee on Vital Health Statistics (NCHVS). The 
NCVHS advised the Secretary in the development of her policy recommendations. 

In announcing the hearing. Chairman Thomas stated: “The importance of infor- 
mation to America’s modern health care delivery system cannot be overstated. The 
rapid exchange of information B much of it personal in nature B is critical to the 
delivery of high quality care, the increasingly complex financing of care, and ongoing 
efforts to improve quality. Protecting the confidentiality and security of this infor- 
mation is even more important. Only by protecting the confidentiality of health in- 
formation can we give patients the confidence they need to seek help, even for the 
most personal or sensitive of health issues. Data integrity and system security 
measures are critical to our ongoing efforts to improve health care outcomes and 
find new cures through the application of information technology to medical re- 
search. Today, every patient B including 38 million Medicare patients B benefits 
from the extensive use and exchange of information in our health system. However, 
our laws need to be updated to better protect the confidentiality and security of this 
information. 



3 


FOCUS OF THE HEARING: 

The hearing will focus on various aspects of the patient confidentiality issue that 
have heen raised by the Secretary’s recommendations to Congress and by other laws 
. The Subcommittee will receive testimony from several public agency representa- 
tives and from a variety of private sector witnesses representing different perspec- 
tives from within the health care system. 

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS: 

Any person or organization wishing to submit a written statement for the printed 
record of the hearing should submit six (6) single-spaced copies of their statement, 
along with an IBM compatible 3.5-inch diskette in WordPerfect 5.1 format, with 
their name, address, and hearing date noted on a label, by the close of business, 
Tuesday, August 3, 1999, to A.L. Singleton, Chief of Staff, Committee on Ways and 
Means, U.S. House of Representatives, 1102 Longworth House Office Building, 
Washington, D.C. 20515. If those filing written statements wish to have their state- 
ments distributed to the press and interested public at the hearing, they may de- 
liver 200 additional copies for this purpose to the Subcommittee on Health office, 
room 1136 Longworth House Office Building, by close of business the day before the 
hearing. 

FORMATTING REQUIREMENTS: 

Each statement presented for printing to the Committee by a witness, any written statement 
or exhibit submitted for the printed record or any written comments in response to a request 
for written comments must conform to the guidelines listed below. Any statement or exhibit not 
in compliance with these guidelines will not be printed, but will be maintained in the Committee 
files for review and use by the Committee. 

1. All statements and any accompanying exhibits for printing must be submitted on an IBM 
compatible 3.5-inch diskette in WordPerfect 5.1 format, typed in single space and may not ex- 
ceed a total of 10 pages including attachments. Witnesses are advised that the Committee will 
rely on electronic submissions for printing the official hearing record. 

2. Copies of whole documents submitted as exhibit material will not be accepted for printing. 
Instead, exhibit material should be referenced and quoted or paraphrased. All exhibit material 
not meeting these specifications will be maintained in the Committee files for review and use 
by the Committee. 

3. A witness appearing at a public hearing, or submitting a statement for the record of a pub- 
lic hearing, or submitting written comments in response to a published request for comments 
by the Committee, must include on his statement or submission a list of all clients, persons, 
or organizations on whose behalf the witness appears. 

4. A supplemental sheet must accompany each statement listing the name, company, address, 
telephone and fax numbers where the witness or the designated representative may be reached. 
This supplemental sheet will not be included in the printed record. 

The above restrictions and limitations apply only to material being submitted for printing. 
Statements and exhibits or supplementary material submitted solely for distribution to the 
Members, the press and the public during the course of a public hearing may be submitted in 
other forms. 


Note: All Committee advisories and news releases are available on the World 
Wide Web at ‘HTTP:/AVWW.HOUSE.GOVAVAYS_MEANS/’. 


The Committee seeks to make its facilities accessible to persons with disabilities. 
If you are in need of special accommodations, please call 202-225-1721 or 202-226- 
3411 TTDATTY in advance of the event (four business days notice is requested). 
Questions with regard to special accommodation needs in general (including avail- 
ability of Committee materials in alternative formats) may be directed to the Com- 
mittee as noted above. 
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NOTICE— CHANGE IN TIME 

ADVISORY 

FROM THE COMMITTEE ON WAYS AND MEANS 

SUBCOMMITTEE ON HEALTH 

FOR IMMEDIATE RELEASE CONTACT: (202) 225-3943 

July 16, 1999 
No. HI^8-Revised 

Change in Time for Subcommittee Hearing on 
Confidentiality of Health Information 

Tuesday, July 20, 1999 

Congressman Bill Thomas (R-CA), Chairman, Subcommittee on Health of the 
Committee on Ways and Means, today announced that the Subcommittee hearing 
on confidentiality of health information, previously scheduled for Tuesday, July 20, 
1999, at 2:00 p.m., in the main Committee hearing room, 1100 Longworth House 
Office Building, will now begin at 3:00 p.m. 

All other details for the hearing remain the same. (See Subcommittee press re- 
lease No. HL-8, dated July 13, 1999.) 


Chairman Thomas. The Subcommittee will come to order. Well, 
good afternoon. 

Today, the Subcommittee will be holding its second hearing on 
the confidentiality of health care information. The Ways and Means 
Committee began focusing on this issue directly and intently in 
1996. That was the year Congress passed the Health Insurance 
Portability and Accountability Act or, as we call it, HIPAA. 

Among HIPAA’s many provisions was an initiative specifically 
designed to reduce the administrative costs associated with the 
processing of claims, other routine transactions, Medicaid, Medi- 
care and the rest of the health care system. This initiative now 
codified in title XI of the Social Security Act is known as adminis- 
trative simplification. 

Part of that administrative simplification effort, in addition to 
standardized health care transactions, was acknowledgment that 
there was a need for re-evaluation and enhancement of the con- 
fidentiality protections afforded health information, particularly in 
light of stories and knowledge dealing with computers and the elec- 
tronic forms of communication that began advancing themselves in 
the health care financing system. 

We did that by including a provision in that administrative sim- 
plification section requiring the Secretary of Health and Human 
Services to develop and forward to the Ways and Means Committee 
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and the Senate Finance Committee recommendations for national 
health care confidentiality legislation. Those recommendations 
were forwarded to us in Septemher 1997, and they were a subject 
of this Subcommittee’s hearing last spring. 

Now, there is an aspect of HIPAA that says unless Congress acts 
on the confidentiality legislation on its own by August 21 that the 
Secretary has the authority to promulgate regulations to protect 
confidentiality of information transmitted electronically. I think all 
of us hope that this will not be necessary. As the administration 
has often said, and I believe is sincere, it would be far better if 
Congress acted on the HIPAA mandate and passed a comprehen- 
sive confidentiality statute than regulations promulgated by the 
Secretary in accordance with the HIPAA provisions. 

We have all been working on this issue. The Senate has labored, 
other Committees of the House have labored, and many of you 
know I have been working with a number of our colleagues, prin- 
cipally Ben Cardin, in the hopes of developing a bill that can be 
widely supported by Members on both sides of the aisle, by those 
who are involved in this issue and, most importantly, by providers 
and patients. 

We believe we are close to presenting the Subcommittee with the 
proposal, but we believe this hearing will be very informative and 
will assist us in understanding some of the areas that we still have 
not been able to finalize. And more specifically today, we will be 
looking at the many different ways that personal health informa- 
tion is used in Medicare and throughout the private health care 
system. We will be looking at the Secretary’s proposed policy under 
HIPAA, and I do think, though, many of the hearings that we have 
had for background and resource information are valuable, this one 
could be one of the most valuable ones that we will hold. 

Our failure to act in this area may, in fact, miss a window to pro- 
tect the confidentiality of patients’ personal health information in 
a broad and significant way for individuals but just as importantly 
for health care outcomes research using the material that a con- 
fidentiality Federal structure would provide. 

And so, I look forward to the testimony from our witnesses and 
look forward to Members of this Subcommittee meeting and trying 
to resolve what I think is one of the key issues today and that is 
identify and develop policies that balance truly competing needs, 
almost competing rights. This hearing will be central in assisting 
us in doing that, and I will recognize my colleague if he has any 
statement. 

Mr. Kleczka. Thank you, Mr. Chairman. 

Mr. Chairman, what I would like to do is ask unanimous consent 
to enter into the record the opening statement by the Ranking 
Member, Pete Stark, who is under the weather today. 

Chairman Thomas. Without objection. 

[The opening statements follow:] 

Opening Statement of Chairman William M. Thomas, a Representative in 
Congress from the State of California 

Good Afternoon. Today the Subcommittee will be holding its second hearing on 
the confidentiality of health care information. The Ways and Means Committee 
began its focus on this issue most recently, in 1996. That was the year Congress 
passed the Health Insurance Portability and Accountability Act, or HIPAA. Among 
HIPAA’s many provisions, was an initiative specifically designed to reduce the ad- 



6 


ministrative costs associated with the processing of claims and other routine trans- 
actions in Medicare, Medicaid and the rest of the health care system. This initiative, 
now codified in Title XI of the Social Security Act, is known as Administrative Sim- 
plification. 

As part of the Administrative Simplification effort, Congress acknowledged that, 
in addition to standardized health care transactions, there was a need for a reevalu- 
ation and enhancement of the confidentiality protections afforded health informa- 
tion — particularly in light of the increasing use of computers and electronic forms 
of communication in the health care financing system. Congress did this by includ- 
ing in the Administrative Simplification provisions a requirement that the Secretary 
of Health and Human Services develop and forward to the House Ways and Means 
and Commerce Committees, and the Senate Finance and Labor Committees, rec- 
ommendations for national health care confidentiality legislation. The Secretary’s 
recommendations were forwarded to us in September of 1997 and they were the 
subject of our last hearing on this issue last Spring. Unless Congress acts on con- 
fidentiality legislation of its own by August 21st of this year, the HIPAA law gives 
the Secretary the authority to promulgate regulations to protect the confidentiality 
of information transmitted electronically in connection with one of HIPAA standard- 
ized transactions. 

I hope that this will not be necessary. As the Administration has often said, I be- 
lieve it would be far better if Congress acted on the HIPAA mandate and passed 
a much, more comprehensive confidentiality bill — a bill that would protect the con- 
fidentiality of all personal health information in the system — not just that trans- 
mitted in accordance with HIPAA. 

That is why I am intent on bringing legislation before this panel shortly that will 
meet the HIPAA mandate and go beyond, and establish protections for all personal 
health information. As many of you know, I have been working with my colleague. 
Representative Cardin, in the hopes of developing a bill that can be widely sup- 
ported by Members on both sides of the aisle. While I believe we are close to pre- 
senting the subcommittee with a proposal, I believe this hearing will be very inform- 
ative and help us greatly as we seek to hammer out the final details. 

More specifically, today we will be looking at the many different ways that per- 
sonal health information is used in Medicare and throughout our private health care 
system. Moreover, we will be examining the possible effects of the Secretary’s pro- 
posed policy to protect the confidentiality of that information. As far as I am con- 
cerned, the importance of this issue to health policy can not be overstated. Confiden- 
tiality is a fundamental value of medicine. It is essential to the delivery of care. 
Only by honoring the confidences of patients can the system maintain the trust that 
is critical to the patient-care^ver relationship. Only by protecting the confidentiality 
of patient’s personal health information can we ensure that patients will continue 
to seek out care when needed. 

Similarly though, information about individual patient encounters with the health 
system is of fundamental importance to efforts to our improve the public health. The 
lessons learned from one patient’s encounter with the system makes it possible to 
improve the care of the next patient. Finding new cures for disease and identifying 
better methods of treatment are dependent on information that is learned when pa- 
tients obtain care. Finally, information about individual patient encounters is essen- 
tial to the processing of today’s increasingly complex and sophisticated payment ar- 
rangements — including those we employ today to finance Medicare and Medicaid. 

Our challenge is to identify and develop policies that balance these competing 
needs. My hope is that today’s hearing will be instrumental in helping us do this. 


Opening Statement of Hon. Fortney Pete Stark, a Representative in 
Congress from the State of California 

Thank you, Mr. Chairman, for holding this hearing today. 

We have a lot of questions to ask our witnesses. They are difficult questions that 
many committees have struggled to answer over the course of numerous hearings 
during the last several years. 

I hope we can make progress today by getting some thoughtful answers to some 
of the toughest issues in the medical privacy arena. The most fundamental is this: 
Does federal legislation that establishes uniform rules for all health care providers 
have to preempt state laws? 

I submit that the answer is no — that under the federal Supremacy Clause that 
we will shortly be hearing more about from GAO, any confidentiality legislation we 
enact will become a baseline for medical privacy in this country. This means that 
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if federal law is more protective than similar state laws, then our legislation will 
become the standard. And the degree of public anxiety about eroding medical pri- 
vacy tells me that any federal standard should be as clear and as protective as pos- 
sible. 

But in those cases where a state’s law is stronger — as in California’s requirement 
that all law enforcement officials must have a warrant to access identifiable health 
information — then state law should govern. 

If followed, this basic principle would provide meaning and shape to a debate that 
has often sputtered and bogged down over definitional squabbles that fail to produce 
a workable agreement. 

We have little enough time left to craft a consensus. And I regret that the panel’s 
real expert on medical privacy. Dr. Jim McDermott, is not able to be with us today. 
As yet, we do not have legislation under consideration by this Subcommittee. But 
I hope that when we do, we will have plenty of time to discuss it and ask further 
questions before marking it up. 

Thank you. 


Mr. Kleczka. And also the statement of another colleague from 
the Subcommittee, Jim McDermott, who has been very active in 
this issue. He is unable to be here. He is recuperating from heart 
surgery back in his home State of Washington. 

I talked to Jim a short time ago, and he is doing quite well, and 
he thanks all the Members of Congress for their concern and the 
friends that he has around the DC area. 

So I would ask unanimous consent that Mr. McDermott’s state- 
ment be entered also in the record. 

Chairman Thomas. Without objection. 

[The opening statement follows:] 


Statement of Hon. Jim MeDermott, a Representative in Congress from the 

State of Washington 

Mr. Chairman, thank you for inserting my statement into the record. I had hoped 
to be here for this hearing, but I am in Seattle recuperating from heart surgery. 

As you know, medical privacy is an issue that I have long cared about. As a psy- 
chiatrist and health care consumer I witnessed a need for strong federal privacy law 
protecting patients. It is amazing that we don’t have strong privacy protections in 
place for medical records already yet we have one for video rental records. 

Why do we need a Federal medical privacy law? Currently, privacy protections are 
weak and vary widely from state to state. Only 28 states allow people to even exam- 
ine their own medical records. This lack of strong national standards could allow 
employers, schools, marketing agencies and others access to what ought to be con- 
fidential files. 

Ensuring privacy in medical care is more important now than ever before because 
of new technologies like genetic testing and the computerization of medical records. 
Genetic research and testing has profound implications for our country’s health care 
system because genetic information discloses not just our current health, but also 
purports to accurately predict our potential future health, and the health of our 
families. 

The Human Genome Project may have a draft of the entire genome by early next 
year. And, in the near future, tests will be available for common genetically affected 
conditions. These tests create opportunities even as they raise serious challenges 
that we need to address immediately. 

The BRCA-1 genetic test for breast cancer illustrates the dimensions of this de- 
bate. Women have been advised to be tested, but only as part of a research protocol. 

Some patients see this as paternalistic, preferring to be informed of the results 
of the test, even if those results are not easily interpretable at this moment. Pa- 
tients are warned about the potential risks of whether they will be able to buy 
health insurance or even if they will be able to get a job — should others learn of 
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their genetic status. Understandably, this has discouraged some women from par- 
ticipating in even the research, where their identities should be strictly protected. 

Not everyone wants to know his or her genetic status. This can cause friction for 
families in which some members wish to be tested, but others do not. Sometimes 
the tests require participation by several family members to determine which muta- 
tion is common in that particular family. Some mothers have opted not to be tested 
to prevent anticipated discrimination against their daughters, while others feel com- 
pelled to be tested to spare their daughters the anxiety of not knowing if they carry 
the mutation. 

Genetic tests also raise the issue of cost. Many insurance plans do not cover ge- 
netic tests, or they do not cover the counseling that is an integral part of genetic 
therapy. If a woman has no health insurance, frequent mammography screenings 
for breast cancer are a considerable expense, and the results of the test may be 
worse than useless to her. 

Increasing reliance on mass computer databases further complicates the problem. 
Computers have revolutionized the way an individual’s medical information is col- 
lected, stored, and disseminated. Without adequate, enforceable controls, this infor- 
mation can be used to breach the privacy of patients and to discriminate against 
them. 

In 1996, Harvard and Stanford conducted a study of 200 people who suffered dis- 
crimination in insurance, jobs, education, or child adoptions because of their pre- 
disposition to a genetic disease. What makes their stories particularly disturbing is 
that these people had no s 3 miptoms, and perhaps would never develop that par- 
ticular disease. These examples led to my concern about what the future holds if 
we allow indiscriminate use of these new technologies. 

I will introduce this year, as I have in the last two congresses, a bill called the 
“Medical Privacy in the Age of New Technologies Act.” This measure is intended to 
ensure that a patients personal health information will not be disclosed without that 
patients explicit consent, and that patients have access to their own records. It puts 
the individual in charge of what happens to his or her medical information, who 
sees it, and why. 

As you may know, the Congress is required to pass privacy legislation by this Au- 
gust. If we fail to meet this deadline, the Secretary of Health and Human Services 
will promulgate regulations. Even the Secretary agrees that regulations will not 
provide patients with the kind of strong protections that can be imposed by law. 

As the Subcommittee considers legislative proposals there are two basic principles 
that should be included in any privacy legislation: 

• First, people need to be notified of how their personal information might be 
used, 

• Second, they must have the opportunity for meaningful informed consent. In- 
formed consent in the realm of health care is key. If patients fear that their records 
will be used in ways they do not know about, or will be given to third parties with- 
out their permission, they will not trust the health care system, and they will not 
tell their doctors the information necessary to provide them the best care. 

It is likely that the generalizations we use to describe competing privacy proposals 
will make the bills sound very similar. But, to use an often-overused phrase, the 
devil is in the details. When you examine the details of these bills you will find a 
number of distinctions. Most notably they differ on the issues of the informed con- 
sent, research, and the preemption of state laws. 

Following the basic principle that an individual has a right to privacy of their 
health information, it is important the patient is informed — in writing — of what in- 
formation is to be disclosed, for what purpose, to which entity, and for what period 
of time. There should be two tiers of authorization: one for treatment and payment, 
and another for other purposes, such as research. Individuals can not “opt out” of 
using their information for treatment and payment. However, in some bills includ- 
ing my own, patients can opt out of using their information for the second tier 
“other purposes.” The debate in Congress has focused around what constitutes 
“treatment and payment.” Does treatment and payment include auditing, research, 
marketing, and so on? 

Research is another area of distinction. How will medical privacy legislation affect 
the ability to conduct medical research? The legislation I have proposed will not un- 
dermine research capabilities. It allows researchers to use coded information, mean- 
ing information that either is anonymous, but could be linked to protected health 
information by authorized persons, or is nonidentifiable information, which is anon- 
ymous and cannot be linked to anyone. Some legislation, such as the Bennett bill, 
has taken the approach that since we have all benefited from past medical research 
we are obligated to participate in future research. This is a tremendously important 
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and difficult area to legislate. For which reason, I am working to find a balance be- 
tween the two approaches. 

One of the most contentious issues we are grappling with is the issue of pre- 
emption of state law. I believe that the only meaningful medical privacy law will 
be one that is a “federal floor” that does not pre-empt stronger state laws. There 
are literally thousands of state laws that address the privacy of medical records in- 
formation in non-health related areas. The pre-emption of all state law could have 
significant unintended consequences and will be costly to states. For instance, laws 
are on the books in many states regarding the privacy of the health information of 
victims of sexual assault. To broadly pre-empt these laws — not knowing what we are 
pre-empting and what the impact will be — is very short sighted. 

To argue the necessity of a “federal ceiling” claiming that we must preempt state 
laws to make it easier for the interstate health industry is incredible. For a Con- 
gress that has advocated sending power back to the states, I find it ironic that in 
this case they think the Federal government can do it better. Restricting states from 
passing stronger privacy laws would keep them from responding to many new, 
unique, and inherently local challenges in health care and public health. Especially, 
since there is no precedent in federal privacy or civil rights law for pre-empting 
stronger state laws. 

In the coming debate, many people will speak for industries that stand to make 
money from the use and misuse of information. For them, medical records are com- 
modities that are bought and sold. 

We will hear many claims that any new legislation must not interfere with those 
particular interests. But the group we should listen to most will be hardest to hear: 
patients and their families. Think about your own family’s medical records being 
available for anyone to look at. What value can we place on the confidentiality of 
the doctor-patient relationship? It is essential that we protect the privacy of individ- 
uals, including their genetic privacy. Good legislation can ensure that new tech- 
nologies are used, not to deny health care or to deny medical privacy, but to benefit 
all of us. 

Thank you. 


Opening Statement of Hon. Jim Ramstad, a Representative in Congress 
from the State of Minnesota 

Mr. Chairman, thank you for calling this important hearing to discuss the con- 
fidentiality of medical records. 

Given the sensitive nature of personal health records, I am very aware of the im- 
portance of crafting appropriate legislation, as well as the complexities that sur- 
round this task. As Americans, we greatly value our personal privacy. As the world 
leaders in innovative and quality health care, we also understand the need to use 
some information in ways that promote research and development and quality as- 
sessments, as well as prevent fraud and abuse. 

Since this Subcommittee is charged with the responsibility of overseeing the Medi- 
care program, I especially appreciate this hearing’s attention to the privacy of per- 
sonally identifiable information for the 39 million Americans enrolled in that impor- 
tant health care program. 

The General Accounting Office (GAO) will testify today about the importance of 
using personally identifiable information for the proper operation of the Medicare 
program, as well as the effect of state restrictions on HCFA’s behavior. My constitu- 
ents and I certainly look forward to learning more about HCFA’s policies and prac- 
tices regarding the disclosure of information, as well as HCFA’s plans to improve 
the adequacy of its confidentiality safeguards and monitoring activities. 

Again, thank you for calling this important hearing. I look forward to learning 
more from our witnesses about the confidentiality of all medical records. 


Mr. Kleczka. Mr. Chairman, I just want to say a couple of 
things on the issue of privacy. 

It is an area where I have had concerns for years now. This is 
the second session that I have introduced my Personal Information 
Privacy Act which indicates that a person’s privacy is theirs and 
should not he waived or given away. 
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I know the Chairman would like to have something done by the 
Committee on medical privacy, hopefully by the Congress before 
the August. However, I would caution the Committee against rush- 
ing and passing a bill that does not truly protect the privacy of the 
individual. Some of the things I have read and heard about which 
concern me are legislation preempting States’ laws in this area, 
and provisions where a person who doesn’t give a blanket waiver 
for release of their health care records could be denied health care 
services. You know, I am hopeful that those rumored provisions 
won’t be in the final bill, but they disturb me greatly. I don’t think 
there are competing interests with my health care privacy. It is 
mine. It is my medical record. It is my background. It is my past. 
I paid, along with the insurance company, for the medical care de- 
scribed in my records. We have gotten to the point in this country 
where we don’t recognize these important facts. 

I happened to go to a new dentist in my home district of Mil- 
waukee, Wisconsin, and I was filling out the elongated form before 
he looked at my mouth, and on the form he asked for my Social 
Security number. Well, what does my Social Security number have 
to do with my teeth? I think it has a lot more to do with my tax 
liability and the interest I get from my bank, so I left that blank. 

Then there was another section of the application where he 
asked whether or not he or the office could release this informa- 
tion. It didn’t indicate for what purpose, but he wanted my blanket 
authorization to release the status of my teeth or my root canals 
to anyone he deemed appropriate to receive that information. There 
again I left that blank, and I think the consumer should have those 
rights. 

And the upshot, Mr. Chairman, was he treated me. Well, he 
didn’t really treat me. He gave me an evaluation. The treatment 
comes this Friday, and $1,300 later I am going to be “more better”. 
But, nevertheless, whatever is in that office and in my file is be- 
tween my dentist and myself and my mouth. I don’t think it should 
be shared on the Internet; it should not be shared with the world. 

If, in fact, somebody wants to do a clinical evaluation of Kleczka’s 
teeth, they should ask me; and at that point I would probably say 
yes because, you know, I have no special teeth. But I think the leg- 
islation that we develop in this Subcommittee or in this Congress 
should recognize that the ultimate right of privacy is with the pa- 
tient, is with the consumer, and I would not be willing, through my 
vote, to give away that right to any researcher, to any insurance 
company or to anyone else. 

Thank you, Mr. Chairman. 

Chairman Thomas. I thank the gentleman. 

If the first panel would come forward. The panel consists of 
Peggy Hamburg, M.D., Assistant Secretary for Planning and Eval- 
uation, U.S. Department of Health and Human Services; Michael 
Hash, Deputy Administrator at HCFA; and Leslie Aronovitz, who 
is the Associate Director of Health Financing and Public Health 
Issues, Health, Education, and Human Services Division, United 
States General Accounting Office. 

Your written testimony will be made a part of the record. In the 
time that you have available you may address us in any way you 
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see fit; and between the two of you, Mr. Hash, Honorable Ham- 
burg, you can work out which one goes first. 

Mr. Hash. I will be happy to go first. 

Chairman Thomas. So we will start with you and move across 
the panel. Thank you very much. 

STATEMENT OF MIKE HASH, DEPUTY DIRECTOR, HEALTH 

CARE FINANCING ADMINISTRATION, U.S. DEPARTMENT OF 

HEALTH AND HUMAN SERVICES 

Mr. Hash. Thank you. Chairman Thomas and Members of the 
Health Subcommittee. We appreciate the opportunity to come and 
testify about our efforts to improve protections for personally iden- 
tified beneficiary information that is in our program’s possession. 

No administration has been more committed to protecting med- 
ical privacy. President Clinton and Vice President Gore have both 
spoken about its paramount importance. We provide much greater 
protection for sensitive personal health information in our pro- 
grams than does the private sector. We strive to continually en- 
hance our protections, and we greatly appreciate the evaluations 
and the advice of our Office of Inspector General at HHS, as well 
as the General Accounting Office. 

As the GAO has confirmed in its report to you, personally identi- 
fiable information on Medicare beneficiaries is essential to the op- 
eration of the program. We need it to make accurate payments in 
the fee-for-service portion of Medicare and to risk adjust the 
Medicare-nChoice payments so that they take into account indi- 
vidual beneficiary health status information and reduce any dis- 
incentives for the enrollment of sicker beneficiaries. 

We also need personally identifiable information to conduct med- 
ical reviews and other activities that are essential to fighting 
waste, fraud and abuse in our programs. 

We certainly need it to coordinate benefits and ensure that we 
do not pay for claims that other insurers are liable to pay. 

And of course, we need it to protect — or to project, I should say, 
spending trends to accurately determine premium amounts for the 
Medicare Program, to develop and refine policies, including pay- 
ment policies; to assess and improve quality and access; and last 
but far from least, we need to be responsive to individual bene- 
ficiary inquiries about coverage and payment affecting their inter- 
ests. 

Medicare data are also an invaluable asset in the efforts to im- 
prove care and coverage for beneficiaries by our research colleagues 
at the National Institutes of Health, the Agency for Health Care 
Policy and Research, and other scientific investigators and policy 
analysts. 

Equally essential is our obligation to protect sensitive beneficiary 
information and to clearly inform beneficiaries of how information 
about them will be used in accordance with the requirements of the 
Privacy Act. Whenever concerns are raised about privacy, we take 
them seriously and we act on them immediately. 

That is what we did earlier this year when Vice President Gore 
and a number of Members of Congress identified potential prob- 
lems with our home health patient Outcome and Assessment Infor- 
mation Set known as OASIS. As you may recall, we halted imple- 
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mentation of the use of that instrument and conducted a thorough 
review of it. We made some important modifications to ensure that 
only essential information would he collected and that it would he 
properly protected, and we made sure that beneficiaries would he 
fully informed on why it is being collected and how it would be 
used. 

Because protecting beneficiary information is essential to our 
mission, we are taking several new steps to strengthen our efforts. 

First, we have established a new Beneficiary Confidentiality 
Board to provide executive leadership in all aspects of privacy pro- 
tection. 

Second, we are reviewing all of our beneficiary notices to ensure 
that they fully disclose in plain language how data collected from 
individual beneficiaries is to be used. 

Third, we are designing new systems that will easily track when 
and where the data are shared. 

Fourth, we are increasing efforts to ensure that researchers and 
Medicare contractors have properly protected patient data. 

And, finally, we have introduced a system security initiative 
across HCFA to aggressively address vulnerabilities that have been 
found through the Inspector General’s investigations and our own 
reviews. 

The new steps we are taking can only strengthen our solid track 
record of protecting confidential beneficiary information. Our new 
Beneficiary Confidentiality Board in particular will provide an 
overarching executive level focus on our obligation to remain vigi- 
lant in this area. We encourage continuing oversight by the Inspec- 
tor General’s Office and by our colleagues at the General Account- 
ing Office and others to help us address any new privacy concerns 
promptly, and we remain committed to swiftly addressing any re- 
lated issue or breaches that might occur. 

Mr. Chairman, thank you for this opportunity to discuss these 
issues; and I look forward to answering any questions that you or 
other Members of the Subcommittee may have. 

[The prepared statement follows:] 

Statement of Mike Hash, Deputy Director, Health Care Financing 
Administration, U.S. Department of Health and Human Services 

Chairman Thomas, Congressman Stark, distinguished Subcommittee members, 
thank you for inviting us to testify about our efforts to improve protections for per- 
sonally identifiable beneficiary information. No Administration has been more com- 
mitted to protecting medical privacy. President Clinton and Vice President Gore 
have both spoken about the paramount importance of medical records privacy. 

We provide much greater protection for sensitive information than does the pri- 
vate sector. We strive to continually enhance our protections. And we greatly appre- 
ciate the evaluations and advice of the HHS Inspector General (IG) and the General 
Accounting Office (GAO) in this regard. 

As the GAO recently confirmed, personally identifiable information on Medicare 
beneficiaries is essential to the operation of the Medicare program. We need it to: 

• make accurate payments in fee-for-service and to risk adjust Medicare+Choice 
payments so they take into account individual beneficiaries health status and cur- 
tail the disincentive for plans to enroll sicker beneficiaries; 

• conduct medical reviews and conduct other activities essential to fighting fraud, 
waste and abuse; 

• coordinate benefits and ensure that we do not pay claims for which other insur- 
ers are responsible; 

• project spending trends and accurately determine premium amounts; 

• develop and refine policy to ensure proper coverage and payment; 
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• assess and improve quality and access to care, for example by monitoring and 
then working to increase the number of beneficiaries receiving an influenza vaccina- 
tion; and, 

• be responsive to individual beneficiary inquiries about coverage and payment. 

Medicare data are also an invaluable asset in efforts to improve care and coverage 

for beneficiaries by our research colleagues at the National Institutes for Health, the 
Agency for Health Care Policy and Research, and other scientific investigators and 
policy analysts. 

It is equally essential that we protect the sensitive beneficiary information with 
which we are entrusted, and that we clearly inform beneficiaries of how information 
about them is used in accordance with the Privacy Act. Whenever concerns are 
raised about privacy, we take immediate action to address them. 

For example, when Vice President Gore and members of Congress identified po- 
tential problems with our home health patient Outcome and Assessment Informa- 
tion Set (OASIS) earlier this year, we halted implementation, conducted a thorough 
review, and made important modifications to ensure that only essential information 
would he collected, that it would be properly protected, that disclosures would be 
limited to the minimum necessary to carry out HCFA’s mission, and that bene- 
ficiaries would be fully informed on why it is being collected and how it will be used. 

Because protecting beneficiary information is essential to our mission, we are tak- 
ing several new steps to strengthen our efforts. 

• We have established a new Beneficiary Confidentiality Board to provide execu- 
tive leadership in all aspects of privacy protection. 

• We are reviewing all beneficiary notices to ensure that they fully disclose in 
plain language how data are used. 

• We are designing new systems that will easily track when and where data are 
shared. 

• We are increasing efforts to ensure that researchers and Medicare contractors 
have properly protected data. 

• i)md we have introduced a systems security initiative to aggressively address 
vulnerabilities found through the Inspector General’s and our own reviews. 

Confidentiality Board 

We have established a new Beneficiary Confidentiality Board to coordinate and 
consolidate privacy policies and ensure that we do not collect or disseminate more 
information than is absolutely necessary. The Board is led by the Director of the 
Center for Beneficiary Services and includes senior executives from all Agency com- 
ponents that have a direct stake in privacy and confidentiality, including the Center 
for Medicaid and State Organizations, the Center for Health Plans and Providers, 
the Office of Clinical Standards and Quality, the Office of Strategic Planning, the 
Program Integrity Group, the Office of Information Services, the Office of the Actu- 
ary, and Regional Office representatives. Core responsihilities include: 

• establishing strategic goals, overarching policies, and objectives for protecting 
data; 

• establishing, coordinating, and issuing all policy decisions on privacy and con- 
fidentiality; 

• assuring implementation and enforcement of guiding principles for Agency-wide 
strategic goals and objectives; 

• providing executive oversight of compliance with all privacy and confidentiality 
statutory and regulatory requirements, and assuring that beneficiary protections are 
enforced; 

• reviewing all current operations with regard to systems of records and bene- 
ficiary protections to assure that strategic goals and objectives and guiding prin- 
ciples are in place and effective at all levels, including contractors to sub-contrac- 
tors; 

• evaluating legislative proposals involving the collection, use, and disclosure of 
personal information by any entity, public or private, for consistency with legal 
standards and our guiding principles; 

• assuring that use of new information technologies sustains protections of infor- 
mation that directly identifies an individual or from which an individual’s identity 
can be deduced; 

• assuring that personal information contained in our systems of records are han- 
dled in full compliance with fair information practices as set out in the Privacy Act; 
and, 

• serving as a senior-level forum for the discussion and resolution of key strategic 
issues affecting HCFA’s privacy and confidentiality policies and implementation 
strategies. 
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This will help ensure a central focal point for privacy issues and accountability 
across all aspects of Agency business. 

Beneficiary Notices 

Beneficiaries need to know and understand why personally identifiable informa- 
tion is collected and how it is used. This is both a legal requirement and an ethical 
obligation. There are many different notices to beneficiaries about why information 
is collected and how it is used. 

Some, including the newest notice for OASIS, has been carefully crafted to ensure 
that it is clear and comprehensive. However, we agree with the GAO that some of 
the earlier beneficiary notices do not meet the Privacy Act requirements to inform 
beneficiaries about: 

• the authority under which we are collecting information; 

• the principal purpose for which it will be used; 

• the routine uses for which it may be used; and 

• whether the individual is required to supply the information and what the con- 
sequences are if the individual does not supply the information 

Earlier this year, we began a systematic review of all beneficiary privacy notices, 
rewriting them as necessary, to ensure that they provide full disclosure in plain lan- 
guage. 


Tracking Data Releases 

The Privacy Act stipulates that beneficiaries are entitled to know, upon request, 
any and all instances in which identifiable information about them has been shared. 
We have never had such a request, but have realized that complying with one would 
be extraordinarily labor intensive with our current information systems. It also is 
currently difficult to provide data on our Privacy Act compliance to the Office of 
Management and Budget (0MB) for its oversight responsibilities. 

We are now working to fully define the requirements for information systems that 
will ensure full compliance with 0MB and Privacy Act requirements. Implementing 
these systems is a top information technology priority once we have cleared the Year 
2000 hurdle. In the interim, we have increased our surveillance of these requests 
and are improving our existing tracking systems to align them more fully with 0MB 
requirements. 


Data Use Oversight 

The data files we maintain are an invaluable asset to medical and health policy 
researchers in their efforts to improve beneficiary care and coverage. For example: 

• we are able to share the extensive information we have on beneficiaries with 
end-stage renal disease directly with National Institute of Health scientists that 
they can use to study and improve treatment; 

• the Agency for Health Care Policy and Research Patient Outcome Research 
Teams rely upon this beneficiary information to develop new insights on the treat- 
ment of the most frequent medical conditions affecting the elderly; and, 

• the data files are also critical to investigators under contract to us for evalua- 
tion and development of payment, coverage and treatment policies. 

The Privacy Act does allow for sharing data with researchers as long as their 
work promotes the Agency’s mission, is compatible with the purpose for which the 
information was collected, and proper privacy protections are in place. 

Many research needs are met by “public use files” that we readily make available, 
and from which any data that could identify individual beneficiaries is removed, in- 
cluding information that could be used to deduce an individual beneficiary’s identity. 
Additional research needs are met by encrypted data files in which data elements 
that explicitly identify individuals (such as names, claim numbers, physician num- 
bers, service dates, and date of birth) are either removed, encrypted, or stated as 
a range (of dates, for example). Some data elements remain in these files that could 
possibly be linked with other information to a deduce specific individual’s identity. 
Finally, there are some valid research endeavors for which individually identifiable 
information is essential. 

For all research requests, we conduct a careful review to ensure that any disclo- 
sure of information is allowed under the Privacy Act. For research projects outside 
of HHS, or not funded by HHS, we conduct another careful level of review to ensure 
that the request is for tbe bare minimum of information that is essential to a given 
research project, and that the project has scientific merit and sound research meth- 
odology. We are also diligent in making clear to researchers how data that could 
be used to identify individual beneficiaries must be protected. 
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When proper criteria are met, we develop data use agreements that contain ex- 
plicit protections covering the release and use of data. These agreements also specify 
that the user must contact us within 30 days of completion of the approved project 
for instructions on whether to return all data files to us or to destroy such data and 
execute an attestation to certify the destruction. We have taken swift action to ad- 
dress the rare situations that we are aware of in which researchers have not fully 
complied with Privacy Act requirements and our data use agreements to clarify 
their responsibilities to protect beneficiary confidentiality. 

We are now increasing efforts to verify that researchers have in fact complied 
with their data use agreements to protect data and dispose of it properly once 
projects are completed. We expect to reduce our backlog in half by the end of this 
fiscal year. We also look forward to working with the GAO and other experts to de- 
velop more systematic ways to proactively assure compliance with data use agree- 
ments so we can prevent problems before potential security breaches occur. 

Systems Security 

We are also working to improve security in electronic data processing. We have 
introduced a systems security initiative to aggressively address vulnerabilities found 
through the Inspector General’s and our own reviews. Our goal is to be able to 
maintain the tightest possible security as the business environment in which we op- 
erate changes, and to integrate security into every aspect of our information tech- 
nology management activities. 

One of the first things our new Chief Information Officer, Gary Christoph, did 
when he came on board was to hire outside experts to search out security weak- 
nesses in our systems so we could proactively address them. We also have acquired 
new technology, beefed up staff training, conducted our own risk assessments and 
internal audits, and enhanced procedures for guarding access to sensitive systems. 
However, there are no silver bullets, and vigilance here must be constant given the 
ever changing nature of technology and evolution of new risks. 

As we clear the Year 2000 hurdle and its demand on our systems, we will be able 
to increase our security even more through our comprehensive security initiative. 
We are now in the process of developing the protocols to systematically monitor the 
systems security of our claims processing contractors. The new evaluation process 
will specifically assess administrative, technical, and physical protection measures 
to protect beneficiary privacy. 

We also have recently restructured our contractor oversight operations and initi- 
ated a new contractor evaluation process which will incorporate the security review 
findings and improve our overall management of the contractors. In addition, the 
Administration has proposed comprehensive contracting reform legislation that will 
bring Medicare contracting authority in line with standard Federal government con- 
tracting procedures and make it easier for us to terminate contractors if we find 
they are not providing adequate privacy protections. 

We will continue to use the annual Inspector General CFO audits as an oppor- 
tunity to identify threats to the integrity of our data systems and to ensure that 
we address vulnerabilities in a timely manner. We also are carrying out activities 
required by the Presidential Decision Directive 63, as well as security requirements 
in the Health Insurance Portability and Accountability Act, which will further 
strengthen our security protections. 


Conclusion 

The new steps we are taking can only strengthen our solid track record of pro- 
tecting confidential beneficiary information. Our new Beneficiary Confidentiality 
Board, in particular, will provide an overarching executive-level focus on our obliga- 
tion to remain ever vigilant. We encourage the IG, GAO, and others to also be vigi- 
lant in raising and helping us to address any concerns about protections for sen- 
sitive information. And we remain committed to swiftly and effectively addressing 
any related issues or breaches that might arise. I thank you again for holding this 
hearing, and I am happy to answer any questions you might have. 


Chairman Thomas. Thank you very much. 
Doctor. 

Dr. Hamburg. Mr. Chairman. 
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Chairman Thomas. Let me caution you that these microphones 
are very unidirectional, so you need to speak directly into it. Thank 
you. 

STATEMENT OF HON. MARGARET A. HAMBURG, M.D., ASSIST- 
ANT SECRETARY FOR PLANNING AND EVALUATION, U.S. DE- 
PARTMENT OF HEALTH AND HUMAN SERVICES 

Dr. Hamburg. Thank you for this opportunity to appear before 
you to discuss the Secretary’s recommendations for privacy legisla- 
tion. 

I would also like to emphasize the administration’s support for 
passage of bipartisan legislation providing comprehensive privacy 
protection for people’s health care information. Stories abound that 
raise concern that our sensitive medical information can enter the 
wrong hands and be misused. For example, at one HMO, every 
clinical employee could tap into patients’ computer records and see 
notes from psychotherapy sessions. The director of a work site 
health clinic testified before the National Committee on Vital and 
Health Statistics that he was frequently pressed to disclose his pa- 
tients’ health information to their supervisors. 

These kinds of problems underlie the legitimate fear that Ameri- 
cans have about the security of their health care information. Al- 
most 75 percent of our citizens say that they are at least somewhat 
concerned that computerized medical records will have a negative 
effect on their privacy. If we don’t act now, public distrust could 
deepen and ultimately stop citizens from disclosing important infor- 
mation to their doctors or from seeking needed medical testing or 
treatment, especially for sensitive concerns like mental illness or 
genetic disorders. 

The problem is not theoretical. Numerous analyses over several 
years by government, industry and professional groups have identi- 
fied serious gaps in protections for health information and have 
recommended Federal legislation to close them. 

In September 1997, Secretary Shalala presented her rec- 
ommendations for protecting the “confidentiality of individually 
identifiable health information.” In that report the Secretary con- 
cluded that Federal legislation establishing a basic, national floor 
of confidentiality is necessary to provide rights for patients and de- 
fine responsibilities of recordkeepers. She recommended that Fed- 
eral legislation focus on health care payers and providers and the 
information they create and receive in providing and paying for 
health care. 

The Secretary recommended legislation to implement five key 
principles: 

First, information about a consumer that is obtained for deliv- 
ering and paying for health care should, with very few exceptions, 
be used and disclosed for health purposes and health purposes 
only. 

Second, those who legally receive health information should be 
required to take reasonable steps to safeguard it. They should en- 
sure that the information is available only to those who should 
have access to it and only for purposes authorized by the patient 
or authorized by law. 
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Third, consumers should have access to their health records and 
should know how their health information is being used and who 
has looked at it. Consumers should be given a clear explanation of 
these rights. 

Fourth, people who violate the confidentiality of our personal 
health information should be accountable. Those who use this in- 
formation improperly should be punished. 

These first four principles must, however, be balanced against 
the fifth principle, public responsibility. Just like our free speech 
rights, privacy rights cannot be absolute. We must balance our pro- 
tection of privacy with our public responsibilities to support other 
critical national goals, public health, research, quality care and our 
fight against health care fraud and abuse. 

Our Department is keenly aware of the need to use personal 
health information for each of these national priorities. For exam- 
ple, our researchers have used health records to help us fight child- 
hood leukemia and to learn that beta blocker therapy results in 
fewer rehospitalizations and improved survival among elderly sur- 
vivors of acute myocardial infarction or heart attack. Public health 
agencies use health records to warn of outbreaks of emerging infec- 
tious disease threats. And our efforts to improve quality in our 
health care system depend upon our ability to review health infor- 
mation. 

As you know, HIPAA requires that if Congress fails to enact com- 
prehensive privacy legislation by August of this year, HHS must 
implement final regulations by February of the year 2000. We have 
assembled a team from all of the relevant Federal agencies to work 
on these regulations, and it is our intent to have an NPRM, Notice 
of Proposed Rule Making ready for publication by fall. While we 
are moving ahead to have the regulation ready, the President and 
Secretary Shalala have made it clear that their first priority is to 
see Congress enact a comprehensive bill. Our staff have been work- 
ing closely with many of your staff, and staff in the Senate, to as- 
sist in achieving this goal. We are eager to see legislation and want 
to work with you to make this happen. 

Mr. Chairman, the principles embodied in our recommendations 
should guide a comprehensive law that will create substantive Fed- 
eral standards and provide our citizens with real peace of mind. 
The principles represent a practical, comprehensive and balanced 
strategy to protect health care information that is collected, shared 
and used in an increasingly complex world. 

Thank you again for giving me this opportunity to testify. I look 
forward to answering any questions that you may have. 

[The prepared statement follows:] 

Statement of the Hon. Margaret A. Hamburg, M.D., Assistant Seeretary for 
Planning and Evaluation, U.S. Department of Health and Human Serviees 

Mr. Chairman, Congressman Stark, distinguished members of the Committee: I 
appreciate the opportunity to appear before you to discuss the Administration’s rec- 
ommendations for federal legislation to protect the privacy of health information. 

As you may remember. Secretary Shalala first presented her recommendations, 
required by the Congress under Section 264 of the Health Insurance Portability and 
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Accountability Act (HIPAA), in September 1997. ^ I think it is fair to say that the 
recommendations were well received and have been used to assist others in crafting 
their own legislative proposals. 

HIPAA also requires that if Congress fails to enact comprehensive privacy legisla- 
tion by August of this year, HHS must implement final regulations by February 
2000. We have assembled an interagency team to work on the regulations including 
representatives from the Departments of Labor, Defense, Commerce, the Social Se- 
curity Administration, the Veterans Administration and the Office of Management 
and Budget. It is our intent to have the regulations prepared in time to meet the 
statutory deadline. 

While we are moving ahead to have the regulation ready, the President and Sec- 
retary Shalala have made it very clear that their first priority is to see Congress 
enact a comprehensive health information privacy bill. Our staff have been working 
closely with many of your staff, and staff in the Senate, to assist you in achieving 
that goal. Again, let me reiterate, we want to see legislation, and we want to work 
with you to make that happen. 

The issue of health information privacy is quite complex — in order to resolve it 
legislatively, some difficult choices will have to be made. We believe that our rec- 
ommendations strike the appropriate balance between the privacy needs of our citi- 
zens and the critical needs of our health care system and our nation. This is an 
issue that touches every single American, and to reach resolution we will need a 
bipartisan effort. 


The Need for Legislation 

It has been 25 years since former HEW Secretary Elliot Richardson set forth prin- 
ciples that led to the landmark Federal Privacy Act. Those 25 years have brought 
vast changes in our health care system. 

Revolutions in our health care delivery system mean that we must place our trust 
in entire networks of insurers and health care professionals — both public and pri- 
vate. The computer and telecommunications revolutions mean that information no 
longer exists in one place — it can travel in real time to many hospitals, physicians, 
insurers, and across state lines. 

In addition, revolutions in biology mean that a whole new world of genetic tests 
have the potential to either help prevent disease or reveal the most personal health 
information of a family. Without safeguards to assure citizens that getting tested 
will not endanger their families’ privacy or health insurance, we could endanger one 
of the most promising areas of research our nation has ever seen. 

Health care privacy can be safeguarded. It must be done with national legislation, 
national education, and an on-going national conversation. 

Currently, when we give a physician or health insurance company precious health 
information, the level of protection will vary widely from state to state. We have 
no comprehensive federal health information privacy standards. Because the prac- 
tice of health care is increasingly becoming interstate through mergers, complex 
contractual relationships and enhanced telecommunications, we need strong federal 
standards. Establishing a baseline that provides uniformity will help reassure the 
public that they can trust their providers and insurers to keep their health informa- 
tion secure. 

In developing our recommendations for federal legislation, we learned a great deal 
through consultations with a variety of outside groups and from six days of public 
hearings conducted by the National Committee on Vital and Health Statistics, our 
statutory federal advisory committee for health data and privacy policy. The hear- 
ings involved over 40 witnesses from across the health community, including health 
care professionals, plans, insurance companies, the privacy community, and the pub- 
lic health and research communities. 

We believe our recommendations provide a balanced framework for legislation 
that can protect the privacy of medical records, guarantee consumers the right to 
inspect their records, and punish unauthorized disclosures of personal health data 
by hospitals, insurers, health plans, drug companies or others. 


1 “Confidentiality of Individually-Identifiable Health Information, Recommendations of the 
Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Port- 
ahility and Accountahility Act of 1996” can be found on the HHS web site at: <http:// 
aspe .os . dhhs.gov/admnsimp/>. 
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The Principles 

The Secretary’s recommendations for legislation are grounded in five key prin- 
ciples: Boundaries, Security, Consumer Control, Accountability, and Public Respon- 
sibility. 

Boundaries 

The first is the principle of Boundaries: With very few exceptions, personally iden- 
tifiable health care information should be disclosed for health purposes and health 
purposes only. It should be easy to use it for those purposes, and very difficult to 
use it for other purposes. 

For example, employers should be able to use the information furnished by their 
employers to provide on-site care or to administer a health plan in the best interests 
of those employees. But those same employers should not be able to use information 
obtained for health care purposes to discriminate against individuals when making 
employment decisions — such as hiring, firing, placements and promotions. To en- 
force these boundaries, we recommend strong penalties for the inappropriate use or 
disclosure of medical records. 

We recommend that the legislation apply specifically to providers and payers, and 
to anyone who receives health information from a provider or payer, either with the 
authorization of the patient or as authorized explicitly by legislation. 

However, our recommendations acknowledge that these providers and payers do 
not act alone. In order for a provider or payer to operate efficiently, it may need 
to enlist a service organization to perform an administrative or operational function. 
For example, a hospital may hire an organization to encode and process bills, or a 
managed care organization may contract with a pharmaceutical benefit manage- 
ment company to provide information to pharmacists about what medications are 
covered and appropriate for their customers. 

The numbers and types of service organizations are increasing every day. While 
most do not have direct relationships with the patients, they do have access to their 
personal health care information. Therefore, we recommend that they should be 
bound by the same standards. For example, a health plan’s contractor should be al- 
lowed to have access to patient lists in order to do mailings to remind patients to 
schedule appointments for preventive care. But it should not be able to sell the pa- 
tient lists to a pharmaceutical company for a direct mailing announcing a new prod- 
uct. 

Because we recommend a minimum floor of protection for all records, our report 
does not distinguish among types of health care information based on sensitivity. 
For example, our recommendations do not include specific provisions related to ge- 
netic information in health records. Genetic information should be covered by the 
same rules. However, we recognize that the public is especially concerned about the 
unique properties of genetic information — its predictive nature, and its link to per- 
sonal identity and kinship and its ability to reveal our family secrets. 

Therefore while you are developing privacy legislation, you should also consider 
how to limit the collection and disclosure of genetic information and prohibit health 
insurers and employers from discriminating against individuals on the basis of their 
genetic information. Because of the speedy development of genetic technologies and 
its potential for abuse, we recommend that legislation concerning discrimination in 
underwriting by insurers or other improper use of such information be considered 
expeditiously. We look forward to continuing our work with you on this issue. 

Security 

The second principle is Security. Americans need to feel secure that when they 
give out personal health care information, they are leaving it in good hands. Infor- 
mation should not be used or given out unless either the patient authorizes it or 
there is a clear legal basis for doing so. 

There are many different ways that private information like your blood tests could 
become public. People who are allowed to see it — such as lab technicians — can mis- 
use it either carelessly or intentionally. And people who should not be seeing it — 
such as marketers — can find a way to access it, either because the organization 
holding the information doesn’t have proper safeguards or the marketers can find 
an easy way around the safeguards. To give Americans the security they expect and 
deserve. Congress should develop legislation that requires those who legally receive 
health information to take reasonable steps to safeguard it and face consequences 
for failure to do so. 

What do we mean by reasonable steps? The organizations should adopt protective 
administrative and management techniques, educate their employees, and impose 
disciplinary sanctions against employees who use information improperly. 
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We are addressing some of these steps in our Security Standards regulation, im- 
plementing the Administrative Simplification mandate under HIPAA. Our NPRM 
laid out a range of approaches for safeguarding the information to which the HIPAA 
mandate applies. However, that regulation will only cover the security of specific 
electronically maintained records. We need comprehensive privacy legislation to 
cover all health information that needs this kind of protection. 

We don’t believe a law can specify the details of these protections because each 
organization must keep pace with the new threats to our privacy and the technology 
that can either abate or exacerbate them. But a federal law can require everyone 
who holds health information to have these types of safeguards in place and specify 
the appropriate sanctions if the information is improperly disclosed. 

Consumer Control 

The third principle is Consumer Control. The principles of fair information prac- 
tice (formulated in 1973 by a committee appointed by Secretary Richardson) in- 
cluded as a basic right: “There must be a way for an individual to find out what 
information about him is in a record and how it is used.” 

With very narrow exceptions, consumers should have the right to find out what 
is contained in their records, find out who has looked at them, and to inspect, copy 
and, if necessary, correct them. Consumers should be given a clear explanation of 
these rights and they should understand how organizations will use their informa- 
tion. Let me give you an example of why this is important. According to the Privacy 
Rights Clearinghouse, a California physician in private practice was having trouble 
getting health, disability, and life insurance. She ordered a copy of her report from 
the Medical Information Bureau — an information service used by many insurance 
companies. It included information showing that she had a heart condition and Alz- 
heimer’s disease. There was only one problem. None of it was true. Unfortunately, 
under the current system these types of errors occur all too often. Consumers often 
do not have access to their own health records and even those who do are not al- 
ways able to correct some of the most egregious errors. 

With that in mind, our recommendations set forth a set of practices and proce- 
dures that would require that insurers and health care providers provide consumers 
with a written explanation detailing who has access to their information and how 
that information will be used, how they can restrict or limit access to it, and what 
their rights are if their information is disclosed improperly. 

We also recommend procedures for patients to inspect and copy their information, 
and set out the very limited circumstances under which patient inspection should 
be properly denied. 

Finally, we recommend a process for patients to seek corrections or amendments 
to their health information to resolve situations in which innocent coding errors 
cause patients to be charged for procedures they never received, or to be on record 
as having conditions or medical histories that are inaccurate. 

Accountability 

The fourth principle is Accountability. If you are using information improperly, 
you should be punished. This flows directly from the second principle of security — 
the requirement to safeguard information must be followed by real and severe pen- 
alties for violations. Congress should send the message that protecting the confiden- 
tiality of health information is vitally important, and that people who violate that 
confidence will be held accountable. 

We recommend that offenders should be subject to criminal felony penalties if 
they knowingly obtain or use health care information in violation of the standards 
outlined in our report. The penalties mandated in privacy legislation should be high- 
er when violations are for monetary gain, similar to those Congress mandated in 
the administrative simplification provisions of HIPAA. In addition, when there is a 
demonstrated pattern or practice of unauthorized disclosure, those committing it 
should be subject to civil monetary penalties. 

In addition to punishing the perpetrators, we must give redress to the victims. 
We believe that any individual whose privacy rights have been violated — whether 
those rights were violated negligently or knowingly — should be permitted to bring 
a legal action for actual damages and equitable relief. When the violation is done 
knowingly, attorney’s fees and punitive damages should be available. 

These first four principles — Boundaries, Security, Consumer Control and Account- 
ability — must be carefully weighed against the fifth principle. Public Responsibility. 

Public Responsibility 

Just like our free speech rights, privacy rights can never be absolute. We have 
other critical — yet often competing — interests and goals. We must balance our pro- 
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tections of privacy with our public responsibility to support national priorities — pub- 
lic health and safety, research, quality care, and our fight against health care fraud 
and abuse and other unlawful activities. 

Our Department is acutely aware of the need to use personal health information 
for each of these national priorities. For example, HHS auditors use health records 
to uncover kickbacks, overpayments and other fraudulent activity. Researchers have 
used health records to help us fight childhood leukemia and uncover the link be- 
tween DES and reproductive cancers. Public health agencies use health records to 
warn us of outbreaks of emerging infectious diseases. In addition, our efforts to im- 
prove quality in our health care system depend on our ability to review health infor- 
mation to determine how well health institutions and health professionals are car- 
ing for patients. 

For public health and safety, research, quality evaluations, fraud investigations, 
and legitimate law enforcement purposes, it’s not always possible, or desirable, to 
ask for each patient’s permission for access to the necessary health information. 
And, in many cases, doing so could create major obstacles in our efforts. While we 
must be able to use identifiable information when necessary for these purposes, we 
should use information that is not identifiable as much as possible. 

To demonstrate how access must be balanced against public responsibility, let me 
outline a few of the areas in which we recommend that disclosure of health informa- 
tion should be permitted without patient authorization. 

Public Health 

Under certain circumstances, we recommend permitting health care professionals, 
payers, and those receiving information from them to disclose health information 
without patient authorization to public health authorities for disease reporting, ad- 
verse event reporting, public health investigation, or intervention. This is currently 
how the public health system operates under existing State and federal laws. 

For example, consider the outbreak of E. coli in hamburger that resulted in the 
largest recall of meat products in history. Public health authorities, working with 
other officials, used personally identifiable information to identify quickly the source 
of the outbreak and thereby prevent thousands of other Americans from being ex- 
posed to a contaminated product. 

Research 

An important mission for the Department of Health and Human Services is to 
fund and conduct health research. We understand that research is vitally important 
to our health care and to progress in medical care. Legislation should not impede 
this activity. 

Today the Federal Policy for Protection of Human Subjects and FDA’s Human 
Subject Regulations protect participants in most research studies that are funded 
or regulated by the federal government. These rules have worked well to protect the 
privacy of individuals while not impeding the conduct of research. We recommend 
that similar privacy protections should be extended to all research in which individ- 
ually identifiable health information is disclosed, and not just federally funded or 
regulated research. 

All researchers must determine whether their research requires the retention of 
personal identifiers. There are research studies that can only be conducted if identi- 
fiers are retained; for example, outcomes studies for heart attack victims or the re- 
cent study which identified a correlation between the incidence of Sudden Infant 
Death Syndrome and the infant’s sleep position. If, and when, personal identifiers 
are no longer needed, the researcher should be required to remove them and provide 
assurances that the information will be protected from improper use and unauthor- 
ized additional disclosures. 

Under the Common Rule, if personal identifiers are necessary, an IRB must re- 
view the research proposal and determine whether informed consent is required or 
may be waived. In order for informed consent to be waived, an IRB must determine 
that the research involves no more than minimal risk to participants, that the ab- 
sence of informed consent will not adversely affect the rights or welfare of partici- 
pants, and that conducting the research would be impracticable if consent were re- 
quired. This or a similar mechanism of review should be applicable for all research 
using individually identifiable health information without informed consent regard- 
less of funding source. 

This recommendation is consistent with the Federal Policy for the Protection of 
Human Subjects as well as the Privacy Act — policies that have protected federal re- 
search participants and research records for a quarter of a century and that have 
saved lives and fostered countless improvements in medical treatment. 
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Preemption 

Our recommendations call for national standards. But, we do not recommend out- 
right or overall federal preemption of existing State laws that are more protective 
of health information. 

Some protections that we recommend may be stronger than some existing State 
laws. Therefore, we recommend that Federal legislation replace State law only when 
the State law is less protective than the Federal law. Thus, the confidentiality pro- 
tections provided would be cumulative and the Federal legislation would provide 
every American with a basic set of rights with respect to health information. 

Conclusion 

Mr. Chairman, the five principles embodied in our recommendations — Boundaries, 
Security, Consumer Control, Accountability, and Public Responsibility — should 
guide a comprehensive law that will create substantive federal standards and pro- 
vide our citizens with real peace of mind. 

The principles represent a practical, comprehensive and balanced strategy to pro- 
tect health care information that is collected, shared, and used in an increasingly 
complex world. 

In addition to creating new federal standards, we must ensure that every single 
person who comes in contact with health care information understands why it is im- 
portant to keep the information safe, how it can be kept safe, and what will be the 
consequences for failing to keep it safe. Most of all, we must help consumers under- 
stand not just their privacy rights, but also their responsibilities to ask questions 
and demand answers — to become active participants in their health care. 

We cannot expect to solve these problems all at once. With changes in medical 
practices and technology occurring every day, we need to be flexible, to change 
course if our strategy isn’t working and meet new challenges as they arise. 

Mr. Chairman, we in the Department and the Administration are eager to work 
with you to enact strong national medical privacy legislation. 

Thank you again, for giving me this opportunity to testify. My colleagues and I 
look forward to answering any questions that you may have. 


Chairman Thomas. Thank you very much, Doctor. 

Ms. Aronovitz. 

STATEMENT OF LESLIE G. ARONOVITZ, ASSOCIATE DIRECTOR, 

HEALTH FINANCING AND PUBLIC HEALTH ISSUES, HEALTH, 

EDUCATION, AND HUMAN SERVICES DIVISION, U.S. GEN- 
ERAL ACCOUNTING OFFICE 

Ms. Aronovitz. Mr. Chairman and Members of the Sub- 
committee, we are pleased to be here today as you discuss the var- 
ious issues associated with protecting the privacy of personally 
identifiable information. 

For the last several months, we have been studying the manner 
in which HCFA protects personally identifiable health information 
it collects on Medicare beneficiaries, and we are releasing our re- 
port today at this hearing. 

Mr. Hash has mentioned some of the initiatives HCFA is under- 
taking. I would like to step back a bit and provide some informa- 
tion on our study. 

To carry out its legislative responsibilities, HCFA needs to collect 
and maintain personally identifiable information on its 39 million 
Medicare beneficiaries. For example, it needs personally identifi- 
able information about beneficiaries’ demographics, enrollment and 
utilization of health care services to pay claims, determine the ini- 
tial and ongoing eligibility of beneficiaries and review the care 
beneficiaries receive in terms of access, appropriateness and qual- 
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ity. HCFA also uses this information in essential research activities 
that can lead to improvements in rate setting, services provided, 
and quality of care. 

We found that HCFA’s policies and practices regarding disclosing 
personally identifiable health information are generally consistent 
with the provisions of the Privacy Act. When beneficiaries first sign 
up for Medicare and then when they receive care or participate in 
a demonstration project, for example, they receive notices that to 
different degrees include a discussion about how their information 
might be used. HCFA may disclose information without an individ- 
ual’s consent under certain circumstances such as for research pur- 
poses or authorized civil and criminal law enforcement activities. 

In determining the validity of specific data requests, HCFA at- 
tempts to balance the needs of the requesters with the need to pro- 
tect a beneficiary’s confidentiality. Therefore, the agency would 
screen requests for sensitive information from non-HCFA research- 
ers more thoroughly than it would from HCFA staff who need the 
data to conduct the agency’s business. 

We did identify, however, some areas where HCFA needs to do 
a better job to assure that personally identifiable information is not 
intentionally or inadvertently shared with those not authorized to 
have it. Specifically, the HHS OIG continues to find vulnerabilities 
in HCFA and its contractors’ management of electronic information 
that could lead to individuals reading, disclosing or simply tam- 
pering with confidential information. In addition, because HCFA 
does not routinely monitor contractors and others who obtain such 
sensitive information, it cannot assure that those organizations are 
maintaining the information in a safe manner. 

This being said, we found that HCFA has actually received very 
few complaints about Privacy Act violations to date. Nevertheless, 
HCFA officials told us that they are in the process of addressing 
the OIG’s findings, to the extent that resources permit, given the 
need to focus on Y2K computer requirements in the short term, 
and that they are stepping up their oversight efforts at their Medi- 
care contractors to assure that these organizations have estab- 
lished and are implementing a sound security plan. 

In regard to providing beneficiaries an accounting of the disclo- 
sures it makes, which is a capability called for by the Privacy Act, 
we found that HCFA would be hard pressed to do so without a lot 
of effort. We also believe that HCFA could do a better job in in- 
forming beneficiaries of the purposes to which their information 
may be disclosed. To address these issues, as Mr. Hash has men- 
tioned, HCFA has established a new executive Beneficiary Con- 
fidentiality Board and initiated a number of actions in response to 
January 1999, 0MB guidance to all agencies to review information 
practices for compliance with the Privacy Act. 

The last area we looked at was the potential effect on HCFA of 
State laws governing privacy. We found that some States prohibit 
the disclosure of sensitive health-related information except for 
very specific purposes. HCFA’s practice has been to respect State 
laws to the extent possible when these laws are more restrictive 
than the Federal law. HCFA officials told us that these State laws 
have not prevented the agency from receiving information nec- 
essary for paying claims but may change its policy as the agency 
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develops and implements payment systems that depend on diag- 
nostic information. 

If HCFA had to comply with the myriad of State laws governing 
the receipt and use of health information, its ability to set rates, 
monitor quality and conduct and support health-related research 
could be hampered. 

Currently, unlike the private sector, HCFA can invoke the Su- 
premacy Clause of the U.S. Constitution to get information it needs 
to carry out its mission without regard to State requirements, al- 
though it has not done so to date. 

Mr. Chairman, this concludes my prepared statement, and I also 
would be very happy to answer any questions you or the other 
Members of the Subcommittee might have. 

[The prepared statement follows:] 

Statement of Leslie G. Aronovitz, Associate Director, Health Financing and 

Public Health Issues, Health, Education, and Human Services Division, 

U.S. General Accounting Office 

Mr. Chairman and Members of the Subcommittee: 

We are pleased to be here today to discuss how the Health Care Financing Ad- 
ministration (HCFA) protects personally identifiable health information on Medicare 
beneficiaries. HCFA, an agency of the Department of Health and Human Services 
(HHS), possesses the nation’s largest collection of health care data, with information 
on 39 million Medicare beneficiaries. To operate the Medicare program, HCFA must 
collect personally identifiable information on Medicare beneficiaries, such as their 
names, addresses, and health insurance claims numbers, as well their diagnostic 
and treatment information. HCFA uses this information for a variety of purposes, 
including paying approximately 900 million Medicare claims annually and con- 
ducting health-related research to improve quality of care. When a person signs up 
for Medicare, he or she might not realize the variety of uses HCFA makes of his 
or her personally identifiable information or that this personal information may le- 
gitimately be disclosed by HCFA outside the agency. 

The personally identifiable information that HCFA collects on Medicare bene- 
ficiaries is protected by the Privacy Act of 1974. This law, which governs the collec- 
tion, maintenance, and disclosure of federal agency records, balances the govern- 
ment’s need to maintain information about individuals with their right to be pro- 
tected against unwarranted invasions of their privacy. State laws also protect the 
privacy of certain personally identifiable medical information, and vary significantly 
in their scope and specific provisions. To create a more uniform set of protections, 
the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires 
that, unless Congress enacts a health privacy law establishing standards for the 
electronic exchange of health information by August 21, 1999, HHS must promul- 
gate such standards within the following 6 months. 

Today, we are releasing a report you requested that focuses on four areas related 
to HCFA’s use of personally identifiable information.^ They are: 

• HCFA’s need for personally identifiable health information to manage the Medi- 
care program; 

• HCFA’s policies and practices regarding disclosure of information on Medicare 
beneficiaries to other organizations; 

• The adequacy of HCFA’s safeguards for protecting the confidentiality of elec- 
tronic information and its monitoring of other organizations that obtain information 
on Medicare beneficiaries; and 

• The effect on HCFA of state restrictions on the disclosure of confidential health 
information. 

To develop our findings, we interviewed HCFA officials and reviewed documents 
HCFA provided on its confidentiality policies and procedures. We also reviewed 
guidance from the Office of Management and Budget (0MB) related to the Privacy 
Act, financial statement audits of HCFA from the HHS Office of Inspector General 
(OIG), and HCFA’s plan for addressing problems identified in OIG audits. In addi- 
tion, we examined the privacy protections of a number of state laws and obtained 


^MEDICARE: Improvements Needed to Enhance Protection of Confidential Health Information 
(GAO/HEHS-99-140, July 20, 1999). 
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comments from HCFA officials about the effects of such laws on the management 
of the Medicare program. 

In summary, we found that personally identifiahle information on Medicare bene- 
ficiaries is vital to the operation of the Medicare program, and that HCFA can dis- 
close such information to other organizations consistent with provisions of the Pri- 
vacy Act. HCFA has policies and procedures for evaluating requests for disclosure 
of personally identifiahle health information, hut HCFA’s confidentiality practices 
have a number of weaknesses. These weaknesses include HCFA’s inability to easily 
provide beneficiaries with an accounting of disclosures made of their personal infor- 
mation and failure to always give them clear notification of the purposes for which 
their personal information may be disclosed outside of HCFA as required by the Pri- 
vacy Act. Although few complaints of violations have been reported to date, the 
HHS OIG also continues to report vulnerabilities in HCFA’s safeguards for confiden- 
tiality of electronic information. These vulnerabilities could lead to unauthorized in- 
dividuals reading, disclosing, or altering confidential information. Finally, potential 
conflicts exist between HCFA and state laws regarding the disclosure of sensitive 
health information. To date, conflicts have been minimal and the administration of 
Medicare has not been hindered, according to HCFA officials, because all states per- 
mit release of information for health care treatment and payment. However, if the 
same data elements were not available from all states, it might compromise HCFA’s 
ability to conduct research and analysis to improve Medicare policies. 

Background 

In protecting the confidentiality of beneficiaries’ health information, HCFA’s ac- 
tivities, like those of other federal agencies, are governed by the Privacy Act of 1974. 
The Privacy Act requires that agencies limit their maintenance of individually iden- 
tifiable records to those that are relevant and necessary to accomplish an agency’s 
mission. Federal agencies store personally identifiable information in systems of 
records. A system of records is a group of records under the control of a federal 
agency from which information can be retrieved using the name of an individual or 
an identifier such as a number assigned to the individual. The Privacy Act defines 
a record as any item, collection, or grouping of information maintained by an agency 
that contains an individual’s name or other identifying information. A record, for ex- 
ample, could include information on education, financial transactions, or medical 
history. Under the Privacy Act, federal agencies must inform the public when they 
create a new system of records or revise an existing system. This is done through 
publication in the Federal Register. A new system of records is announced when an 
agency wishes to collect new data. Sixty-two of HCFA’s 81 systems of records relate 
directly to Medicare beneficiaries and include personally identifiable data on a 
Medicare beneficiary’s enrollment and entitlement to benefits; demographic informa- 
tion such as age, race, ethnicity, and language preference; and diagnostic and treat- 
ment information. HCFA’s systems of records contain information stored in elec- 
tronic and paper forms. 

The Privacy Act generally prohibits the disclosure of individuals’ records without 
their consent. However, it allows the disclosure of information without an individ- 
ual’s consent under 12 circumstances called conditions of disclosure. One example 
is disclosure by a federal agency to its employees baseD on their need for the 
records to perform their duties. Another condition of disclosure allows an agency to 
establish routine uses under which information can be disclosed to a data requestor. 
One routine use, for example, could be disclosure to an individual or organization 
for a research project related to an agency objective, such as prevention of disease 
or disability in HCFA’s case. To establish a routine use, the agency must determine 
that a use is compatible with the purposes for which the information was collected 
and they must publish the notice of the routine use in the Federal Register. While 
the Privacy Act permits agencies to disclose information, it does not require that 
they do so; they can, for example, determine that in a particular case, the individ- 
ual’s privacy interest outweighs the public interest in disclosure. 

HCFA Needs Personally Identifiable Information on Medicare Beneficiaries 

Personally identifiable information is essential to HCFA’s day-to-day administra- 
tion of the Medicare program. Of primary importance is the need of the agency and 
its contractors to use personally identifiable information on Medicare patients to pay 
approximately 900 million fee-for-service claims annually. HCFA also uses this in- 
formation to determine the initial and ongoing eligibility of Medicare beneficiaries, 
determine risk-adjusted payments, make monthly payments to about 400 Medicare 
managed care plans, and track which managed care plans have been selected by 
over 6 million Medicare beneficiaries. HCFA and its contractors use beneficiary 
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claims data containing personally identifiable information to prevent fraud and 
abuse; administer the Medicare Secondary Payer program;^ develop fee schedules 
and payment rates used in fee-for-service claims processing; review the access, ap- 
propriateness, and quality of care received by beneficiaries; and conduct research 
and demonstrations including the development and implementation of new health 
care payment approaches and financing policies. 

HCFA Discloses Information About Beneficiaries for Authorized Purposes 

In screening requests for identifiable information, HCFA determines whether dis- 
closure is authorized by the Privacy Act. It also has different levels of review de- 
pending upon the type of organization making a request for information. HCFA’s 
policy and practice is generally to limit disclosures to information needed to accom- 
plish the requestor’s purposes. However, we found weaknesses in its recordkeeping 
system for tracking and reporting on disclosures and its notices to beneficiaries that 
their information could be disclosed. 

HCFA Screens Requests for Personally Identifiable Information 

In making decisions about whether to disclose information, HCFA’s primary cri- 
terion is whether the disclosure is permitted under a routine use or one of the 11 
other Privacy Act conditions of disclosure. HCFA can disclose information under 
routine uses to publicly and privately funded researchers and to public agencies 
such as the Agency for Health Care Policy and Research for health services research 
projects; to qualified state agencies for the purposes of determining, evaluating, or 
assessing cost effectiveness or quality of health care services provided in a state; 
and to insurers, underwriters, employers who self-insure, and others for coordina- 
tion of benefits with the Medicare Secondary Payer program. 

When deciding whether to disclose personally identifiable information, HCFA has 
different levels of review depending on the type of organization making a request 
for information. According to HCFA policy, HCFA employees and claims administra- 
tion contractors are provided access to personally identifiable information only when 
they require such information to perform their official duties. Other federal agencies 
and organizations, such as state governments and law enforcement agencies seeking 
information on Medicare beneficiaries, must submit documentation, such as a signed 
data use agreement that indicates their acceptance of the confidentiality require- 
ments of the Privacy Act and HCFA’s data use policies and procedures. These poli- 
cies and procedures include a requirement that the data user will not publish or 
release information that could allow deduction of a beneficiary’s identity. When re- 
viewing documentation from requestors, HCFA determines whether the disclosure, 
is permitted under a routine use for a system of records or other condition of disclo- 
sure, as allowed by the Privacy Act. In screening requests from outside researchers, 
HCFA also requires the submission of a detailed study protocol. Further, research- 
ers must receive approval from the HCFA Administrator when they request the 
names and addresses of Medicare beneficiaries they intend to contact to collect new 
data. 

HCFA Generally Limits Disclosures to Information Needed to Accomplish Purposes 

HCFA officials told us their practice is to disclose the least amount of personally 
identifiable information that will accomplish the purpose of the individual or organi- 
zation making the request. HCFA generally provides one of three types of data 
files — public-use files, beneficiary-encrypted files, and files which contain explicitly 
identifiable information. Public-use files are stripped of identifying information on 
beneficiaries and usually are summarized data. Beneficiary-encrypted files are data 
sets in which HCFA has encoded or removed the health insurance claim number, 
date of service, beneficiary name, or beneficiary zip code. Explicitly identifiable files 
contain such information as beneficiary names, addresses, and health insurance 
claim numbers. HCFA officials said they direct requestors whenever possible to ei- 
ther public use files or to beneficiary-encrypted files rather than to the files con- 
taining more identifiable beneficiary information. However, when HCFA does dis- 
close data files with personally identifiable information, it generally does not cus- 
tomize them for the specific purpose of reducing the amount of information dis- 


2 The Medicare Secondary Payer provision limits payment under Medicare for otherwise cov- 
ered items or services if that payment has been made or can be reasonably expected to be made 
from another source such as under a workmen’s compensation law, automobile or liability insur- 
ance policy, or certain health plans. In such cases. Medicare payments for items or services are 
conditional payments and Medicare is entitled to reimbursement from the other sources for the 
full amount of Medicare payments. 
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closed. HCFA officials told us that to do so would be a resource-intensive process; 
however, they are now developing software that will permit them to more easily cus- 
tomize data elements in the future. 

HCFA’s Recordkeeping System for Tracking and Reporting Has Weaknesses 

Although Medicare beneficiaries have the right under the Privacy Act to ask for 
and receive an accounting of disclosures of their personally identifiable information 
and to examine or amend their individual records, HCFA’s recordkeeping system is 
incapable of readily providing an accounting of disclosures to beneficiaries. The Act 
requires that the accounting include information on the nature and purpose of the 
disclosure and the name and address of the person or organization to whom the dis- 
closure was made. HCFA officials told us that the agency’s computerized system for 
tracking disclosures cannot easily generate information for an individual beneficiary 
on disclosures made from HCFA’s system of records. Weaknesses in HCFA’s record- 
keeping system also affect its ability to report on its Privacy Act activities to over- 
sight agencies such as 0MB. 

HCFA officials also told us that they are working on improving their record- 
keeping system to better account for disclosures of personally identifiable informa- 
tion made by the agency. HCFA officials said that, as directed by 0MB, they have 
begun reviewing their recordkeeping for Privacy Act activities. In January 1999, 
0MB released guidance based on a May 14, 1998, Presidential memorandum direct- 
ing each agency to review its information practices to ensure compliance with the 
Privacy Act. HCFA has begun to address OMB guidance and officials told us that 
they are reviewing routine uses that allow disclosure of Medicare beneficiaries’ in- 
formation. In May 1999, HCFA established an executive-level Beneficiary Confiden- 
tiality Board to review strategic confidentiality issues including HCFA’s policies and 
procedures for disclosing personally identifiable information. 

Weaknesses in Notifications to Beneficiaries That Their Information Could be Dis- 
closed 

The Privacy Act requires federal agencies to permit an individual to find out what 
records pertaining to him or her are collected, maintained, used, or disseminated by 
the agencies. The Act requires an agency to notify individuals of the following when 
it collects information: (1) the authority under which the agency is collecting the in- 
formation, (2) the principal purpose for the information, (3) routine uses that may 
be made of the information, and (4) whether the individual is required to supply 
the information and the effects on the individual of not providing it. 

HCFA officials told us they use more than a dozen different Privacy Act notifica- 
tions when collecting information from beneficiaries. Individuals’ first exposure to 
a Medicare-related Privacy Act notice is usually at the time of their application for 
Social Security retirement benefits, when they are provided with a multi-page Pri- 
vacy Act notice. Approved Social Security retirement benefit applicants are auto- 
matically enrolled in Medicare at age 65. Beneficiaries should receive other Privacy 
Act notifications whenever HCFA collects information about them — for example, if 
they separately enroll in Supplemental Medical Insurance (Medicare Part B), re- 
ceive medical care, or participate in a survey or a demonstration project.® 

While some of the HCFA Privacy Act notification forms we reviewed contain the 
required information, we found that others do not tell beneficiaries the purposes for 
which their information may be disclosed outside of HCFA, or they do so in an un- 
clear fashion. For example, a form for beneficiaries receiving services in skilled 
nursing facilities provided the required information, but the Privacy Act notice for 
Medicare Part B enrollment did not identify the routine uses that would be made 
of the beneficiary’s information and provided only a vague reference to the Federal 
Register as a source for such information. We found similar problems in a form used 
to collect information on end-stage renal disease beneficiaries. 

Inadequate HCFA Safeguards Could Compromise Confidentiality 

Although the procedures specified in HCFA’s systems security manual generally 
adhere to OMB’s guidance for safeguarding electronic information, HHS’s OIG has 
identified serious control weaknesses with HCFA’s safeguarding of confidential in- 
formation.^ OIG’s audits of fiscal years 1997 and 1998 financial statements identi- 


® Medicare Part B helps pay for doctors, outpatient hospital care, and other medical services 
such as physical and occupational therapy. 

^ HHS/OIG, Report on the Financial Statement Audit of the Health Care Financing Adminis- 
tration for Fiscal Year 1996 (CIN: A-17-95-00096, July 17, 1997); HHS/OIG, Report on the Fi- 

Continued 
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fied a variety of problems with HCFA’s safeguards for electronic information at 
HCFA’s central office and for selected Medicare claims administration contractors. 
The OIG reported the need for HCFA to implement an overall security structure 
and discussed weaknesses in the following areas: computer access controls (tech- 
niques to ensure that only authorized persons access the computer system), segrega- 
tion of duties (the division of steps among different individuals to reduce the risk 
that a single individual could compromise security), and service continuity (the abil- 
ity to recover from a security violation and provide service sufficient to meet the 
minimal needs of users of the system). The OIG also reported problems with con- 
trols over operating system software integrity and application development and 
change controls. However, HCFA has reported few complaints of potential Privacy 
Act violations. 

When the OIG conducted work at 12 Medicare contractors for its fiscal year 1998 
audit, auditors were able to penetrate security and obtain access to sensitive Medi- 
care data at 5 of them. The auditors’ ability to do so without using their formal ac- 
cess privileges is of particular concern because unauthorized users can exploit this 
security weakness in several ways, and compromise confidential medical data. 

Agency officials told us they are in the process of taking action to correct the 
weaknesses identified by OIG. However, HCFA’s ability to make progress is cur- 
rently affected by the agency’s efforts to address computer requirements for the year 
2000 so that there will be no interruption of services and claims payments. HCFA, 
consistent with priorities established by 0MB, has a moratorium on software and 
hardware changes until it is compliant with year 2000 computer requirements. OIG 
will evaluate the effectiveness of any corrective actions that HCFA is able to imple- 
ment during its fiscal year 1999 financial statement audit. 

HCFA Does Not Systematically Monitor How Organizations Protect the Confiden- 
tiality of Medicare Data 

Although HCFA has a process for monitoring systems security at its claims ad- 
ministration contractors, agency officials told us that competing demands and re- 
source constraints have prevented them from monitoring whether these organiza- 
tions follow 0MB guidance for protecting the confidentiality of information. HCFA 
officials told us that, other than OIG reviews, there were no explicit on-site reviews 
of contractor’s security protections in fiscal years 1997 and 1998 because of resource 
constraints and the assignment of staff to assess contractor year 2000 computer re- 
quirements. However, HCFA did initiate reviews of network security in 1998 for 12 
Medicare contracts at 4 of its 60 claims processing contractors. 

In addition, HCFA officials told us that they do not have a system for monitoring 
whether organizations outside of HCFA have established safeguards for personally 
identifiable information received from the agency. When organizations sign data use 
agreements with HCFA, they agree to establish appropriate administrative, tech- 
nical, and physical safeguards, providing a level and scope of security that is not 
less than the level and scope established by 0MB. Data use agreements also include 
requirements that those receiving information from HCFA use the data only for 
their HCFA-approved purpose and that the data be returned to HCFA or destroyed 
upon completion of the project. HCFA does not systematically monitor how the data 
are being used. Although the agency follows up on expired data use agreements, 
HCFA currently has a backlog of about 1,400 expired agreements. It expects to re- 
duce the backlog by one-half by September 30, 1999. 

HCFA’s failure to monitor contractors and others who use personally identifiable 
Medicare information hampers HCFA’s ability to prevent the occurrence of problems 
and to provide timely identification and corrective action for those that have oc- 
curred. 

Few Complaints of Privacy Act Violations Reported 

The agency identified 7 complaints of potential violations of the Privacy Act it has 
received and resolved in the past 4 years. Six complaints involved contractors con- 
ducting research for HCFA, health data organizations, and individual researchers; 
the seventh complaint was made by a Medicare beneficiary’s attorney. The first six 
complaints were raised by similar organizations or other researchers and involved 
posting of potentially identifiable Medicare billing information on an Internet 
website, using and publishing data in a second research project without authoriza- 


nancial Statement Audit of the Health Care Financing Administration for Fiscal Year 1997 (CIN: 
A— 17-97-00097, Apr. 24, 1998); HHS/OIG, Report on the Financial Statement Audit of the 
Health Care Financing Administration for Fiscal Year 1998 (CIN: A-17— 98— 00098, Feb. 26, 
1999). See also Information Security: Serious Weaknesses Place Critical Federal Operations and 
Assets at Risk (GAO/AIMD-98— 92, Sept. 23, 1998). 
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tion from HCFA, and offering to share Medicare files at a national research con- 
ference. In the first six cases, HCFA provided direction on Privacy Act requirements 
to those involved. In the seventh case, HCFA provided the beneficiary’s attorney 
with a letter addressing the issues raised. 

HCFA reported only one internal disciplinary action within the past 5 years relat- 
ing to violations of HCFA’s confidentiality policies. This incident involved an agency 
employee who was accessing beneficiary files more frequently than appeared nec- 
essary for performing his job. The employee admitted to looking at files of famous 
people. He was placed on administrative leave and later signed an affidavit stating 
that the files had not been sold or shared with other persons; accordingly, he was 
allowed to resign. 

Some States Restrict Disclosure of Sensitive Confidential Information 

In its oversight of the Medicare program, HCFA necessarily deals with bene- 
ficiaries and providers from every state. Although states have laws governing the 
confidentiality of health information, these laws vary significantly, resulting in what 
has been called a patchwork system of protections. For example, in Florida, mental 
health records are confidential and may he disclosed only under limited cir- 
cumstances. 

Conflicts between HCFA and the states involving medical record disclosures have 
been minimal, according to HCFA officials, and HCFA officials believe its adminis- 
tration of the Medicare program has not been hindered because all states permit 
release of information for health care treatment and payment. If a state law prohib- 
ited disclosure of information to HCFA that was critical for these purposes, and a 
federal statute required such disclosure, HCFA officials told us that the agency 
would rely on the Supremacy Clause of the U.S. Constitution and its express statu- 
tory authority.® 

HCFA officials told us that if information is not critical to HCFA operations, 
HCFA’s policy is to respect and abide by state laws that provide greater health 
records protection than would otherwise be required by federal law or regulation. 
For example, when California and Washington notified HCFA that laws in their 
states did not authorize the disclosure of diagnostic information related to the 
human immunodeficiency virus (HIV), acquired immunodeficiency syndrome (AIDS) 
and sexually transmitted diseases (STD), HCFA changed the system used to collect 
and analyze certain nursing home information by allowing the states to withhold 
diagnostic information collected about HIV/AIDS and STDs for their nursing home 
patients.® HCFA told us that 15 states have exercised this option by blanking out 
identifiable codes for HIV/AIDs or STDs before submitting the requisite information 
to HCFA. According to HCFA officials, the deletion of diagnostic information col- 
lected about HIV/AIDS and STDs for nursing home patients generally has not af- 
fected its operations. However, HCFA officials told us that the agency will require 
diagnostic information as it refines its new prospective pajnnent system for skilled 
nursing facilities as well as its other payment systems and may, therefore, need to 
change its policy of allowing states to withhold information. 

Restricting HCFA from receiving uniform health information across the country 
could adversely affect internal operations such as rate-setting and monitoring for 
quality assurance. It could also affect the ability of analysts in HCFA, other federal 
agencies, and non-governmental organizations to conduct policy analysis and health 
services research because of the difficulty in complying with varying state laws. If 
the same data elements and health information were not available from all states, 
HCFA’s ability to conduct research and analysis to improve Medicare policies might 
be compromised. 


Conclusions and Recommendations 

In its role as administrator and overseer of the nation’s Medicare program, HCFA 
must collect and maintain personally identifiable information on millions of bene- 
ficiaries to effectively operate and manage the program. As a steward of confidential 
information, HCFA must balance its need to effectively manage the Medicare pro- 


®U.S. Const. Art. VI, cl. 2. The Supreme Court has construed the Supremacy Clause of the 
U.S. Constitution to hold that federal law preempts state law where, for example: (1) the state 
law directly conflicts with federal law, (2) the federal legislative scheme leaves no room for state 
regulation, or (3) the state statute frustrates or conflicts with the purposes of the federal law. 

® The information is used by HCFA to track changes in health and functional status of nursing 
home residents. The information system is known as the National Minimum Data Set (Resident 
Assessment Instrument) repository. 
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gram with the privacy concerns of its beneficiaries. HCFA must protect bene- 
ficiaries’ health information from inappropriate or inadvertent disclosures. 

We found that HCFA’s policies and practices are generally consistent with Privacy 
Act protections. However, we also found that the agency needs to do a better job 
implementing and enforcing certain protections. As the HHS OIG has reported, 
HCFA continues to have vulnerabilities in its information management systems. In 
addition, HCFA has not consistently monitored its claims administration contrac- 
tors’ safeguards for protecting confidential information. We recognize that HCFA, 
consistent with priorities set forth by 0MB, has focused its resources on ensuring 
that the agency and its contractors are compliant with year 2000 computer require- 
ments. Nonetheless, we believe that reducing the vulnerabilities in its information 
systems and increasing its monitoring of contractors are important concerns that 
HCFA must address in the coming year. 

HCFA also needs to better implement other aspects of its confidentiality policies 
and practices. The agency does not always fully and clearly inform beneficiaries that 
their information may be disclosed. It also lacks the ability to readily provide bene- 
ficiaries with an accounting of disclosures. In addition, HCFA does not have a for- 
mal system for monitoring the confidentiality protections of organizations to which 
it discloses personally identifiable information. As a result, HCFA is unable to sys- 
tematically reduce the likelihood of inappropriate use of the data or identify in- 
stances of such misuse. 

Although few complaints about Privacy Act violations have been made to date, we 
believe that the weaknesses we and others have identified potentially compromise 
the confidentiality of health information on Medicare beneficiaries. However, HCFA 
has begun some important initiatives that appear promising and could improve its 
protection of Medicare beneficiary health information. These include the creation of 
a new beneficiary confidentiality board and actions taken in response to 0MB guid- 
ance for agencies to reevaluate the circumstances under which they disclose infor- 
mation. 

Our report makes recommendations to the HCFA Administrator to improve 
HCFA’s protection of the confidentiality of personally identifiable information on 
Medicare beneficiaries. In summary, we recommend that HCFA correct the 
vulnerabilities identified in its information management systems by OIG, systemati- 
cally monitor contractors’ safeguards for protecting confidential information; develop 
a system to routinely monitor other organizations that have received personally 
identifiable information on Medicare beneficiaries; ensure that all agency Privacy 
Act notifications contain the information required hy the Act in a form that is clear 
and informative to beneficiaries, and implement a system that would permit HCFA 
to respond in a timely fashion to beneficiary inquiries about disclosure of their infor- 
mation outside HCFA as well as to provide information on Privacy Act activities to 
0MB and others. 


Mr. Chairman, this concludes my prepared statement. I would be happy to answer 
any questions you or the Subcommittee Members may have. 
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Major Disruptions (GAOAT-AIMD-SO, Jan. 20, 1999). 

Major Management Challenges and Program Risks: Department of Health and 
Human Services (GAO/OGC-99-7, Jan. 1999). 

Medicare Computer Systems: Year 2000 Challenges Put Benefits and Services in 
Jeopardy (GAO/AIMD-98-284, Sept. 28, 1998). 
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Chairman Thomas. Thank you very much. 

Dr. Hamburg, it has been a source of frustration for many of us 
that the administration has failed almost in every instance to meet 
a date that was prescribed for it in law and to provide information 
or structure dealing with the BBA in terms of prospective payment 
structures of the rest. So that source of frustration may indeed be 
finally useful in your announcing that the administration plans to 
produce its document on a particular timetable, and I feel com- 
fortable that that timetable will not be carried out. This is the first 
time I feel good about the Administration not making a timetable. 

Ms. Aronovitz, in the GAO report, on page 6, you indicate that 
HCFA relies on, under current conditions, the disclosure structure 
provided for in the Privacy Act dealing with release of information 
to outside researchers and other entities; and you also mentioned 
in your testimony and on page 14 and 15 you note that HCFA’s 
current recordkeeping system makes it almost impossible for some- 
one to go back and determine where all someone’s data was sent. 
And I know Dr. Hamburg mentioned an HMO in terms of dis- 
closing this information, and I appreciate your pointing out this 
problem. 

However, in looking at GAO information the way you have it 
structured, Ms. Aronovitz, I don’t see much of an indication of the 
number of these disclosures. You talk about 1,400 expired data use 
agreements. Now, the assumption is that covers a kind of an un- 
derstanding of what information is going to be provided and what 
you are going to do with it, but those are expired data use agree- 
ments, 1,400 of them. How many are out there that are not ex- 
pired? That would be one of the questions. How many over a time 
period, 1 year, 5 years, has there been in terms of agreements in 
which information has been moved? Do we have any indication of 
the total number of agreements? 

Ms. Aronovitz. No. It is actually quite a complicated accounting 
process. When you think of the Privacy Act, we usually think of a 
system of records, and that is the kind of denominator which we 
use to try to figure out disclosures. We could not get an accounting 
of the total number of times data that were in a particular system 
of records were disclosed to an outside requester. 

Chairman Thomas. Is HCFA required to report Privacy Act in- 
formation activity and to whom is it supposed to report this? 

Ms. Aronovitz. HCFA has two obligations. The first is to the 
beneficiary, when the beneficiary asks for an accounting of disclo- 
sures. We believe that, right now, a beneficiary would probably 
have to wait for a while, because HCFA could not readily provide 
that information. HCFA also must provide certain types of informa- 
tion through HHS to 0MB the information to be provided to 0MB 
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concerns the number of beneficiaries who have asked to access 
their own records. 

Chairman Thomas. So the only information under the Privacy 
Act that is kind of held responsible for telling folk you are doing 
it is either to the individuals or the number of individuals informa- 
tion? Who are these entities, for example, on the 1,400 expired data 
use? Who would these agreements be with, typically? I know they 
are expired, but it would be an indication of who they would be 
with if they were alive. 

Ms. Aronovitz. Data use agreements are used for a variety of 
requesters of information from HCFA. They would be almost every- 
one outside of HCFA itself. 

Chairman Thomas. Who is everyone? Are these entities? 

Mr. Hash. It would be HCFA, it would be researchers that HCFA 
is sponsoring, research or non-HCFA sponsored researchers. It 
could also be States or other Federal agencies. 

Chairman Thomas. And there is no requirement that they list or 
include who it is that they have transmitted this information to on 
a Privacy Act report to 0MB? 

Mr. Hash. No, there is no requirement for disclosures to third 
parties in the 0MB. It is only to the number of times a beneficiary 
has asked to access its own information. 

Chairman Thomas. Thank you. 

Do you volunteer this information anyway or do you follow strict- 
ly the Privacy Act? 

Mr. Hash. Mr. Chairman, we have been trying to follow the Pri- 
vacy Act. We have actually to my knowledge not recorded any re- 
quests from beneficiaries for the information that Ms. 
Aronovitz . 

Chairman Thomas. I am asking the question the other way. Do 
you keep track of who it is, the entity that you enter into these 
agreements with and to which you release personally identifiable 
information? 

Mr. Hash. We do. 

Chairman Thomas. Then tell me how many you have entered 
into over the last 1 year, 5 years. 

Mr. Hash. I will have to get you that for the record, Mr. Chair- 
man. 

Chairman Thomas. Do you believe you can get it for the record? 

Mr. Hash. I believe we can. I believe we could determine the 
number of data use agreements that we have. 

[The following was subsequently received:] 

Within the last year 1,911 data use agreements were initiated. Of these, 1,261 
involve identifiable data and 650 involve encrypted data. Within the last five years 
5,167 data use agreements were initiated. Of these, 3,950 involve identifiable data 
and 1,217 involve encrypted data. 


Chairman Thomas. OK. My problem is, if you can do that, Ms. 
Aronovitz, my understanding is you interviewed HCFA folk, and 
did you ask that question of them? 

Ms. Aronovitz. The data use agreement is between the re- 
searcher and HCFA. HCFA needs to be able to better account for 
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specifically what records they are disclosing on a particular hene- 
ficiary. 

Chairman Thomas. So we don’t even know what information is 
transmitted to these individuals? Or we do, but we can’t recall it 
after it is done? 

Ms. Aronovitz. The details are kept in paper records filed by the 
requester’s name, not by an individual beneficiary or by a system 
of records. 

Chairman Thomas. Now I also noted in the GAO report that 
HCFA indicated that what they did was follow the tail of the 
comet, that is, they would review on the Internet, read materials 
to see if any of this information was out there. And it just kind of 
concerns me that they don’t look at the comet, they look at the tail 
of the comet, so it is already out there before their detection struc- 
ture would function; is that correct? 

Ms. Aronovitz. Yes. We think they need to do a much better job 
doing more proactive monitoring of entities that they provide infor- 
mation to, making sure that they are following their data use 
agreements and, in fact, complying with the provisions of those 
agreements. 

Chairman Thomas. So, based upon Dr. Hamburg’s testimony, I 
could very comfortably ask her who has HCFA released individual 
information out of HCFA to, and she probably wouldn’t be able to 
tell me who she released it to. Probably just as important, she 
wouldn’t be able to tell me what it was that was released, unless 
of course it appeared on the Internet being misused if your moni- 
toring is 100 percent accurate after the fact. Is that a reasonable 
statement of what we have got right now with individualized 
records being sent out of HCFA to researchers and other entities? 

Ms. Aronovitz. I think it is reasonable. We would have to say 
that it would take quite a lot of effort, for HCFA to get that infor- 
mation. 

Chairman Thomas. Mike, you want to respond? 

Mr. Hash. Mr. Chairman, what I would like to say is that we, 
in fact, do I think have, as I mentioned a moment ago, the records, 
the data use agreements that we have entered into. 

Chairman Thomas. And you know what it is that has been trans- 
mitted under this agreement? You have a record of that? 

Mr. Hash. We do. We do. What would take a greater effort that 
was referred to was the identification specifically on a beneficiary 
by beneficiary basis, what various systems of record information 
was transmitted. It could be done, but because we maintain our 
records on the basis of the data use agreement, you would have to 
go in and manually identify the individuals that were included in 
that data use agreement, but we know what we gave and to whom 
we gave it. 

Chairman Thomas. You know what you gave. 

Mr. Hash. Correct. 

Chairman Thomas. Including personalized medical record infor- 
mation from an individual. 

Mr. Hash. We know the systems of records that include person- 
ally identified information that we made available to a user under 
a data use agreement. 
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Chairman Thomas. And do you know they honored that use 
agreement? 

Mr. Hash. I believe except for the monitoring activity we need 
to put into place stronger oversight of exactly whether all of the 
users in these data use agreements are complying with the require- 
ments of the Privacy Act. 

Chairman Thomas. I appreciate the answer. The question was, 
do you know if they are living up to the agreement? 

Mr. Hash. Not in every case, Mr. Chairman. 

Chairman Thomas. And have you found some since, not in every 
case, there are some who are not? 

Mr. Hash. Very few. 

Chairman Thomas. OK. What do you do with the few that you 
find? 

Mr. Hash. In the cases where people have violated the Privacy 
Act, we have of course withdrawn, canceled their . 

Chairman Thomas. Don’t you want to modify the statement to 
say that in those instances when we are aware they have violated 
the agreement? 

Mr. Hash. In those instances, where we believe there has been 
a violation of the Privacy Act by one of our . 

Chairman Thomas. No, that you are able to determine — see, 
what you did was just go from a statement in which you don’t do 
a very good job of keeping track of it and you have discovered some 
violations . 

Mr. Hash. Mr. Chairman, I think we do a good job of keeping 
track of it. What we don’t do as good a job of as we should is in 
oversight with these users to make sure that, once they get the 
data, they are in fact actually complying with the requirements of 
the Privacy Act. 

Chairman Thomas. And how many agreements are there today 
in effect? 

Mr. Hash. I will be happy to try to supply that to you for the 
record. I don’t have it with me, Mr. Chairman. 

[The following was subsequently received:] 

As of July 21, 1999, there are 4,377 data use agreements in effect. Of these, 2,924 
involve identifiahle data and 1,453 involve encrypted data. The majority are with 
government agencies and researchers under contract to do work for the government; 
only 515 are not with Federal or State agencies or researchers under contract to 
such agencies. 


Chairman Thomas. OK. Now, GAO has identified, you know, 
many uses that HCFA has with the individually identified informa- 
tion. You got to do a lot of stuff. You have got payment activities 
that you have to deal with that data, claims processing. You do 
some utilization review. You got secondary payment enforcement, 
eligibility determinations. What else? Integrity activities, peer re- 
view, quality assurance. 

Mr. Hash. Yes, sir. 

Chairman Thomas. What else? I mean, some research . 

Mr. Hash. Yes, sir, for purposes of improving either our payment 
policies or our quality improvement strategies. 
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Chairman Thomas. Yes. Would you classify the surveying of indi- 
vidual claims files in order to determine something like, say, the 
relative mammography rates of seniors in the traditional fee for 
Medicare service program to be a quality assurance activity? 

Mr. Hash. I believe we would, Mr. Chairman. 

Chairman Thomas. How about peer review and credentialing ac- 
tivities? 

Mr. Hash. If you mean by that organized systems of care, Mr. 
Chairman? 

Chairman Thomas. Yes, trying to take a look at who does what 
in the credentialing area as a kind of, in my opinion, a quality as- 
surance procedure. Would you classify that, the credentialing, the 
review of the ability to live up to the agreement that was made for 
credentialing purposes, quality assurance? 

Mr. Hash. The situation that that suggests to me is that the — 
only one area wherein we review applications of private health 
plans and want to contract with Medicare and we look to those pri- 
vate health plans to provide us information about their 
credentialing procedures for health care professionals who are 
going to serve our enrollees. 

Chairman Thomas. OK. Let me give you an example. The Presi- 
dent’s recent proposal said that he is interested in moving toward 
a PPO, preferred provider organization structure, and my assump- 
tion is you are going to have to do some additional monitoring and 
perhaps some credentialing in that regard. Would that be a quality 
assurance activity? 

Mr. Hash. Well, we have been thinking about two approaches to 
that, Mr. Chairman. One would be to contract with existing PPO 
organizations that are already out there; and in that case, obvi- 
ously, we would be interested in assurances that they do have some 
criteria for determining who gets admitted to their PPO. We had 
not really anticipated, at least initially, that we would be forming 
under that proposal our own PPOs. 

Chairman Thomas. But it doesn’t preclude that. 

Mr. Hash. It does not. 

Chairman Thomas. And this line of questioning was in part to 
establish that, obviously, health information is sensitive, it is im- 
portant, but there are truly legitimate reasons beyond treatment 
and payment that you need to utilize this kind of data if for no 
other reason quality assurance but certainly in terms of best prac- 
tices and other activities I think are important. 

My real concern as we move forward in this is that we take a 
look at where we are philosophically, where we may want to be for 
public health purposes and, in fact, providing statistical data to be 
able to assist in improving individual health care and look at what 
is happening at the State level and the ability of the Federal Gov- 
ernment, notwithstanding the fact it is a sovereign, to make sure 
all legitimate health entities have the ability to do the same thing. 
And I am concerned about the administration’s position that they 
are less concerned about what is happening at the State level be- 
cause of the sovereign position and HCFA’s ability to collect infor- 
mation. But the formation of a confidentiality structure which pro- 
vides for research collection needs to be looked at from a Federal 
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perspective, not just a government but a national perspective for 
the data. Is there any reaction to that? 

Dr. Hamburg. Well, I think that the Secretary’s recommenda- 
tions definitely acknowledge the important point you are making 
and identify research as an important area of activity for disclosure 
of information, public health concerns, quality of care and certain 
emergency situations as well. 

Chairman Thomas. The gentleman from Wisconsin has already 
had his position violated by the Secretary’s concerns. So since we 
have blown through his concerns, my concerns are this. I under- 
stand the concept of a Federal floor and allowing States to go be- 
yond that. If we are dealing with things like clean water, clean air, 
it doesn’t make sense to me if you are dealing with the collection 
of data to say there could be a Federal floor but States can impose 
more stringent data in particular areas. We may want to carve out 
other areas completely. 

I do not understand — and this is kind of a bizarre relationship 
to me — a Republican advocating Federal preemption in an area in 
which that folk at a cocktail party would think that would be un- 
derstanding the importance of the collection of data for very funda- 
mental and critical reasons in the private sector as well as in the 
public sector. And this is an area I think we need to resolve be- 
cause I do not understand how, in the collection of data for useful 
purposes, the administration can comfortably say we will establish 
a floor and if the State wants to go beyond that, that is OK with 
us. How ever in the world you have an accurate, universally reli- 
able data collection system with that basic organizing concept 
doesn’t make sense to me, and I look forward to continuing to work 
with you. 

The gentleman from Wisconsin wishes to inquire? 

Mr. Kleczka. Thank you. Chairman Thomas. 

I don’t believe the Secretary did violate my preamble for privacy, 
because I never said it was an absolute right. I said as the owner 
of those records I think I should have the right to express my de- 
sire for privacy. Throughout the discussion of the use of these 
records for research and for collection of data I think we should 
consider, de-identifying the records. I think, for billing purposes my 
name and data might have to be attached to it, but for a lot of stuff 
we can de-identify the medical record and let the research or what- 
ever go forward. 

Mr. Hash, first let me ask a question we are all wondering and 
I guess everyone is kind of embarrassed to ask, how is the mother 
to be? 

Mr. Hash. I am glad you asked that. I just talked to her today, 
and she is expected to deliver at any moment, so she is very near 
the end of her odyssey and very excited about the next phase of her 
life. 

Mr. Kleczka. Well, we wish her well and the baby and the fa- 
ther. 

Let me ask one question. You indicated that HCFA has just ap- 
proved the creation of a Beneficiary Confidentiality Board, which 
I assume is going to be akin to the Independent Review Boards 
that States have and some individual private organizations have. 
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What do you envision the responsibility of this confidentiality 
board to be? 

Mr. Hash. Mr. Kleczka, I am glad you asked, because we felt we 
needed a high-level organization within HCFA that pulled together 
the leadership of the agency to focus on the strategic questions 
about the kind of information that needed to be collected to operate 
our programs, as well as the protections that need to be in place 
to ensure patient and individual confidentiality. And the mission of 
this new Beneficiary Confidentiality Board is to develop procedures 
and policies that will govern our decisions about the collection of 
information on the front end, as well as our requirements for data 
users and, in fact, our policies and procedures for overseeing, as I 
mentioned to Chairman Thomas, compliance with these procedures 
by anyone with whom we enter into a data use agreement. 

We are also anxious that this board be an opportunity to exam- 
ine the existing systems of records that we have to determine 
whether they are properly secured, whether we in fact, in another 
critical area, are making adequate notices available to our bene- 
ficiaries so that in plain language they know under what authority 
we are collecting the information and specifically to what uses it 
could be put. 

So these are the range of broad questions that we expect this 
board to address; and, as I say, not only does it involve our com- 
puter and information systems people, but it is actually housed, for 
staffing purposes, in our Center for Beneficiary Services to focus at- 
tention that this is all about protecting the interests of our bene- 
ficiaries. 

Mr. Kleczka. With the thousands of contractors that you enter 
into agreements with across the country, have you seen any viola- 
tions of the beneficiaries’ medical records by contractors either 
through unauthorized viewing or sale of information? 

Mr. Hash. We are not aware of any serious violations. We think 
there have been instances in which the procedures for gaining ac- 
cess to personally identifiable information may have been breached 
because individuals who were not authorized by the nature of their 
work to have access may have been given access. When we have 
learned of that, we have, you know, revoked their access privileges 
and taken steps to tighten up on the approval of access, but, to my 
knowledge, we do not have any cases where the information has 
been sold or publicly disclosed. 

Mr. Kleczka. OK. In how many instances do you recall having 
a problem with contractors with regard to unauthorized access? 

Mr. Hash. How many instances? 

Mr. Kleczka. How many instances? Do you have any numbers? 

Mr. Hash. I think it is very few over the last 5 or 6 years. We 
looked back, and I think we only found one or two altogether. 

Mr. Kleczka. OK. When you deal with a patient’s privacy and 
the records that you are responsible for you comply with Federal 
Privacy Act, but you also defer to State law; is that accurate? 

Mr. Hash. We generally do respect State laws. For the most part, 
what we have found is that State laws do recognize the kinds of 
needs that we have for personally identified information in their 
own laws, for example, data for payment purposes, data for fraud 
and abuse purposes and law enforcement, and data for quality as- 
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surance. These are typically treatment, payment and health care 
operations exceptions that are found in State privacy laws, and 
those laws have allowed us to continue to have access to the data 
we need to operate our programs. 

Mr. Kleczka. ok. I will get back to Ms. Hamburg on the second 
round with some preemption questions. Thank you. 

Chairman Thomas. Gentlewoman from Connecticut wishes to in- 
quire? 

Mrs. Johnson of Connecticut. I thank you for your testimony 
today. 

I want to talk a little bit more about this patient opt-out power 
as well and particularly how it interfaces with the floor proposal. 
If a patient has the right to opt-out, and I am very sympathetic to 
the opt-out provision but I want to understand more clearly how 
it works, could a Medicare beneficiary elect to withhold the fact 
that they had had a certain diagnosis? 

Mr. Hash. I think you are addressing that to me, Mrs. Johnson. 

Mrs. Johnson of Connecticut. Well, whoever is best suited to an- 
swer it. 

In other words, could they elect to withhold this information 
from the carrier, you know, from the payor? I want to know how 
far their election rights go. The doctor knows it clearly. Now if they 
can elect to withhold this information, I might want to do exactly 
what my friend did with his dentist. I might like to elect to with- 
hold that I was diagnosed with shingles for a fear that people 
would fear that I was hyper responsive to stress-related illnesses. 
So, you know, how much could they withhold actually from the car- 
rier? 

Mr. Hash. Well, the requirements in the Medicare Program are 
really to submit a claim to us that provides sufficient information 
on the claim form for us to determine if the individual is eligible, 
that the service provided was covered, and that is the basic infor- 
mation that comes in on a claim form. And if a claim form was sub- 
mitted to us without the diagnostic information or without the 
identification of the individual or their health insurance number, 
then our contractor would be unable to process that claim. 

Mrs. Johnson of Connecticut. OK. Then in terms — ^because I 
want to go through a sort of series of these — in terms of program 
activities that HCFA is responsible for, could an individual elect 
not to let HCFA use specific data in research and development of 
new payment methodologies? In other words, I could see that they 
would have to submit the information so there would be payment, 
but could they prevent you from having access to that information 
for your own internal research and policy development? 

Mr. Hash. As I understand it, Mrs. Johnson, under our current 
notices, and the authorizations that we seek from our beneficiaries 
when they enroll in Medicare, allow us to make the judgment 
about the use of their personally identified information for pur- 
poses that may involve research related to the improvement of the 
payments in the program or to quality oversight or to fraud and 
abuse, those kinds of activities. 

Mrs. Johnson of Connecticut. How specific is your requirement 
to inform consumers and to ask for their permission? Because in 
the next 5 years there are people who are going to get much more 
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sensitive to this whole issue and are going to he making different 
decisions. So do you inform them they have a right to withhold in- 
formation and will there he subcategories that you have a right to 
withhold your information from researchers, you have a right to 
withhold information from whomever? 

Mr. Hash. That is not the substance of our notices that we give 
under the Privacy Act now. They do not have the option to sub- 
limit the use of the data for the kinds of examples that you were 
using. 

Mrs. Johnson of Connecticut. So when they say disclose or not 
disclose, do they know to whom the information may be disclosed 
and to whom it may not be disclosed? 

Mr. Hash. Of course they don’t know specifically to whom it may 
be disclosed, but they do know that it may be disclosed for a series 
of purposes, and those purposes are indicated in the notice. 

Mrs. Johnson of Connecticut. And if they indicate they don’t 
want disclosure, do you interpret that to mean that you simply 
can’t disclose to an outside contractor but you can disclose within 
your agency? Do you say that you can disclose to other Federal 
agencies but not to outside contractors? 

Ms. Aronovitz. My understanding right now is that on a notice 
it is a blanket notification. We actually looked at some notices that 
say, if you do not sign this form, you will not be able to get benefits 
from Medicare. 

Mrs. Johnson of Connecticut. That is not an opt-out to say if you 
don’t sign disclosure you don’t get benefits under Medicare. This is 
a sledgehammer. 

Ms. Aronovitz. We don’t consider that an opt-out. 

Mrs. Johnson of Connecticut. Oh, I see. 

Ms. Aronovitz. If there is an opt-out policy . 

Chairman Thomas. It may be a literal opt-out, depending upon 
what options you need and medical service. 

Ms. Aronovitz. Currently, we don’t see HCFA having an opt-out 
policy. 

Mr. Hash. To my knowledge, we do not. 

Mrs. Johnson of Connecticut. I thought you were recommending 
an opt-out policy. 

Mr. Hash. I am not aware of that, Mrs. Johnson. 

Mrs. Johnson of Connecticut. My impression is that in your rec- 
ommendations you are proposing an opt-out policy. So I kind of as- 
sumed from that, which I did not have the right to assume, that 
if you are recommending an opt-out policy you must already have 
one. 

Mr. Hash. Perhaps this will be helpful, Mrs. Johnson. We do 
have a procedure where if a researcher wants to contact an indi- 
vidual about their participation in a survey or some kind of a re- 
search protocol that we first contact that individual by letter and 
indicate to them that they may elect not to participate in such an 
activity if they do not want to. And that is an area of patient 
choice, if you will, or opt-out that we do routinely apply if the re- 
search protocol involves contacting an individual directly and ask- 
ing them for participation in a research protocol. 

Ms. Aronovitz. There is another example that might be useful. 
Some of the notices that we looked at specifically said if you don’t 
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sign this form you will not get Medicare benefits. The OASIS notifi- 
cation, which we think is an improvement over some of the other 
notices, does have language that specifically states there are no 
Federal requirements for home health agencies to refuse you serv- 
ices if you do not provide this information. However, it takes a lit- 
tle bit of fortitude to really understand what it says. 

Mrs. Johnson of Connecticut. Sort of a backhanded way of say- 
ing that you can get the services even if you refuse to disclose. 

Ms. Aronovitz. Right, in this particular case. So there could be 
instances where you would not lose your benefits. 

Mrs. Johnson of Connecticut. So there is not currently any re- 
quirement that when you sign up for Medicare you have the right 
to sign a waiver that says you may not release my medical infor- 
mation. 

Ms. Aronovitz. As far as we know, that is correct. 

Mr. Hash. I believe that is correct. The authorization that bene- 
ficiaries sign when they enroll in Medicare is a broad authoriza- 
tion. 

Mrs. Johnson of Connecticut. Thank you. I will pursue this 
later, but I think in the new world this is a very big issue. Thanks. 

Chairman Thomas. Gentleman from Minnesota wishes to in- 
quire? 

Mr. Ramstad. Thank you, Mr. Chairman. Thank you to today’s 
witnesses. 

As a former adjunct professor of constitutional law, the more I 
get into this area I am beginning to reach the conclusion that 
health care privacy is an oxymoron given the state of technology, 
and I am real concerned about the right to privacy, the zone of pri- 
vacy as the Supreme Court has talked about, that we supposedly 
have through the first, fourth, fifth and 14th amendments to the 
Constitution. 

And I don’t understand, if I may address the first question to 
you, please, Mr. Hash, according to the GAO critique, the report, 
when HCFA discloses data files with personally identifiable infor- 
mation it doesn’t customize them for the specific purpose of reduc- 
ing the amount of information. Now, I thought this was depart- 
mental policy pursuant to the 1997 HHS recommendations on pri- 
vacy, and does this mean that they are ignoring the issue of cus- 
tomizing the data you disclose? 

Mr. Hash. I think maybe, and I will let Ms. Aronovitz speak to 
that, but I think what we mean by customization is that at HCFA 
when we review a request for personally identified information for 
a research purpose, we actually go through a kind of three-stage 
evaluation. We have what are called public use tapes which have 
a lot of aggregated data which do not identify individuals; and we 
see if, in fact, research can be conducted with a public use tape. 

We have a second level of release of data that involves the 
encryption of identifying information. It is obviously conceivable 
that with that data set you could identify individuals, but it would 
be difficult. 

But we then, last, only as a last resort do we actually release a 
data file with person-specific identifiers in it, and only then when 
we have made a determination that there is no other way to con- 
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duct the research and that the research is vital to a purpose of ad- 
ministering our program. 

Ms. Aronovitz. I would agree with that. However, if HCFA de- 
cided that the only way to fulfill the research purpose was to pro- 
vide personally identifiable information, it does not have the capac- 
ity to only provide the data elements that are absolutely necessary 
to fulfill the research purpose. At that point if HCFA felt that the 
researcher really only needed, let us say, five data elements from 
that file that is where customization would not occur. 

Mr. Ramstad. And it is a question or an issue of capacity of the 
resources? 

Ms. Aronovitz. That is correct. 

Mr. Ramstad. To customize to that degree? 

Ms. Aronovitz. HCFA has said it is developing software that in 
the future will enable it to do a much better job with 
customization, but right now it doesn’t have the capability. 

Mr. Ramstad. Just recently I was privy to a demonstration by 
a computer expert who accessed his file at Columbia Presbyterian 
or wherever, revealed psychiatric data, other very confidential, sen- 
sitive data. All I could think of was this is Kafkaesque. I mean it 
was very, very unnerving, to say the least, and it just seems to me 
that we need to, this session, this year, we need to come to a con- 
sensus on a bill and get this done sooner rather than later. Would 
all three of you agree on that? 

Mr. Hash. Yes. 

Ms. Aronovitz. Yes. 

Mr. Ramstad. And then, finally, I want to ask Ms. Aronovitz a 
question just briefly in the remaining seconds I have. In your GAO 
report, you mention that HCFA has not done much to inform Medi- 
care beneficiaries about their rights under the Privacy Act. Could 
you elaborate on your findings? I mean, it is disappointing when 
this Subcommittee did a lot of work pursuant to the Balanced 
Budget amendment to ensure that beneficiaries receive clear and 
complete information about the Medicare Program, and I was just 
disappointed to read that finding. I was just wondering if you could 
elaborate on that. 

Ms. Aronovitz. As I said, the OASIS notification is an improve- 
ment over prior ones. HCFA said it uses about a dozen or so dif- 
ferent types of notifications. When somebody signs up for Medicare 
and then when they participate in the demonstration or obtain 
health care, there would be a notification. The Privacy Act requires 
a notification that has four elements, and they are very straight- 
forward. You have to tell the beneficiary your authority for col- 
lecting the information, the principal purposes you will use it for, 
all of the routine uses you will make of the information and also 
the effects on the beneficiary of not providing the information. 

Well, first of all, we found that some of the forms HCFA uses 
didn’t have all these elements and, therefore, were incomplete, in 
our judgment, in terms of providing information to the beneficiary. 
However, interestingly, the Privacy Act does not require HCFA 
anywhere on these notices to indicate that beneficiaries have a 
right to get an account of the disclosures that are made of their in- 
formation. This type of information did not appear on any of these 
notices. 
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Mr. Ramstad. Well, I see my time has expired, but I appreciate 
the explanation. It only makes me wonder that perhaps that is the 
reason so few seniors have ever contacted HCFA to see their infor- 
mation or to see HCFA’s accounting of the disclosures it makes. 
But I look forward to working with all three of you and others on 
re-establishing the right to privacy in this country. A lot of this is 
truly alarming, and I don’t say that talking in hyperbolic tones. I 
am very concerned, and I am glad to see you nodding affirmatively 
you share that concern. 

Thank you, Mr. Chairman. 

Chairman Thomas. I thank the gentleman. 

I do believe that it is a contest between public and private rights, 
and there are significant public rights when it comes to health and 
the effect that a single individual may have on the public health, 
and these are sometimes competing rights, and society historically 
has indicated that in certain instances the public’s right to know 
to deal with the public health problem can even transcend privacy 
rights. And we are going to try to deal with that in balancing it, 
not only in after-the-fact information but hopefully in a successful 
prior-to-the-fact management in a world in which it is far more 
complicated with computers but ironically enough also simpler in 
certain instances because of the ability to control the flow of data 
via electronic means. 

Gentlewoman from Florida wishes to inquire? 

Mrs. Thurman. Thank you, Mr. Chairman, and it kind of goes 
to that question. 

Ms. Aronovitz, when I was looking over your report — and, of 
course, it was basically to talk specifically about protecting bene- 
ficiaries’ confidential health information, one of the things that 
struck me was that we talk about the security weaknesses but we 
also talk about the moratorium that 0MB has placed on HCFA in 
securing or looking at any other kind of computer software. Is that 
something we should look at correcting to give them the tools that 
would be necessary to help them in this job? 

Ms. Aronovitz. Actually, the moratorium seems to be very ap- 
propriate under the circumstances. We think, in our Y2K work, 
that HCFA is facing quite a high risk in the fact that it is so close 
to the end of the year. We understand that HCFA needs to focus 
its resources on its immediate responsibility continuing to be able 
to pay claims. Unfortunately, the moratorium had to occur because 
it was one way for HCFA to assure itself that its resources would 
be centered on that immediate problem. 

However, we think that fixing the security systems for privacy 
issues is extraordinarily important also and should be addressed as 
soon as HCFA’s systems have been tested and certified as Y2K 
compliant. 

Mrs. Thurman. And is that what 0MB has indicated that, once 
that is done, that those resources would be immediately available 
for this particular issue, Mr. Hash? 

Mr. Hash. Yes, Ms. Thurman, that is my understanding; and it 
is certainly our intention that, once we pass the Y2K period, that 
this issue of installing the appropriate architecture for information 
technology security is our highest priority with our contractors. Be- 
cause it has been pointed out to us by the GAO and by others that 
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there are steps we can put into place, new systems, new technology 
that mitigate the possibility of breaches of those systems by unau- 
thorized persons, but, you know, this is an area where the tech- 
nology is racing ahead as fast as we can possibly think about keep- 
ing up with it, and I think our real challenge is to remain vigilant 
to the possibility that just when you think you may have a com- 
puter system that cannot be hacked into, somebody will undoubt- 
edly be able to figure it out. But that doesn’t relieve us of the re- 
sponsibility of taking all the steps we can to put in the strongest 
security measures available. 

Mrs. Thurman. So you all are working on this problem some- 
what consecutively with the Y2K? I mean, you are looking for those 
ways, vendors, people who could in fact put in this software? 

Mr. Hash. We are. And, in fact, another aspect of this is holding 
our contractors more accountable to, in our evaluation of them, 
that they, in fact, have put into place the appropriate kinds of secu- 
rity protections that are necessary to protect this data. So we rec- 
ognize, as I said to Chairman Thomas earlier, that we need to 
strengthen our oversight of those organizations that have access to 
this kind of information to prevent unauthorized disclosures. 

Mrs. Thurman. Thank you. 

Chairman Thomas. I thank the gentlewoman. 

Gentleman from Michigan wishes to inquire? 

Mr. Camp. Thank you, Mr. Chairman. 

I thank all three of you for testifying today. 

Ms. Aronovitz, I have a question for you. In your testimony you 
note that there are different needs that HCFA has for individually 
identifiable information and that there are beneficial uses of that 
information but, also, that there are some problems in maintaining 
the security of that data, you know, particularly regarding some of 
the administrative procedures and managing this in the context of 
an information system. What do you think the implications would 
be for HCFA if they had to comply with 50 different State laws? 

Ms. Aronovitz. I think that it would add a tremendous com- 
plexity to their work and a burden and cost that we can’t estimate, 
but it could certainly create quite an additional burden for them. 

Mr. Camp. In addition, what if Medicare patients could selec- 
tively demand that certain criteria were not or data elements were 
not to be used for certain purposes? Administratively, what do you 
think the impact and also that that information couldn’t be dis- 
closed to certain employers or employees or contractors? 

Ms. Aronovitz. I am not an expert on HCFA’s or anyone’s com- 
puter systems, but I certainly feel comfortable in saying that the 
point that HCFA is at right now, if somebody were to be very spe- 
cific about the circumstance under which they wanted their infor- 
mation to be used, it would be impossible for HCFA to comply. 

Mr. Camp. Would you agree that the private sector providers 
would face the same administrative burdens if Federal law wasn’t 
preemptive and in fact might even be worse because they wouldn’t 
have the supremacy clause to ignore certain laws at their discre- 
tion like HCFA might have? 

Ms. Aronovitz. It seems as though they would have the same 
burden. 
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On the other hand, we didn’t really look at how they are coping 
right now, and ostensibly there are companies that work in more 
than one State or all 50 and somehow seem to figure out how to 
get along, but we really don’t know enough about how they are 
doing it or the extent to which that burden could convince some of 
them not to do commerce in the States. 

Mr. Camp. Thank you very much. 

Mr. Hash. 

Mr. Hash. May I comment? 

Mr. Camp. Yes. 

Mr. Hash. I think there are a couple of observations I would like 
to make, and that is, they are — first, it is difficult to determine in 
advance exactly how States might in the future design privacy 
laws. And as I mentioned at the outset, our experience today has 
been that States have been generally sensitive to the kinds of 
issues that are necessary from our point of view to operate our pro- 
grams and to meet our fiduciary responsibilities as well as our 
quality oversight responsibilities. 

And so I think in that sense that ties into my second observation 
which is that our position is, in the administration, that we believe 
a strong Federal floor will actually reduce the incentives for States 
to want to legislate further in this area. 

As an example, I might point out that in the HIPAA law itself 
that Congress passed 3 years ago, it is basically predicated on a no- 
tion of a very strong Federal floor, and to date at least I think 
States have not been desirous of or felt it was necessary to legislate 
beyond the HIPAA floor, and I think that is why we are placing 
so much emphasis on working with you and others to develop a 
Federal standard for confidentiality and protection that will reduce 
the need for additional State legislation. 

Mr. Camp. Thank you. Thank you, Mr. Chairman. 

Chairman Thomas. Well, to point out the absurdity of that state- 
ment, if I might, Minnesota currently has a provision which re- 
quires individual release for access to information. As a matter of 
fact, Mayo Clinic built its record on its epidemiological records 
which it now cannot do with any degree of confidence because it 
can only get 97 percent sign-off. 

When you are doing research in key areas, obviously any hole in 
your data causes you problems. Let us take a Medicare patient 
from Minnesota. If Johns Hopkins wants to utilize that Medicare 
patient’s medical records and tries to go through the State of Min- 
nesota, obviously, they are going to have go through a sign-off pro- 
cedure. I believe it is a three-denial effort or get the permission of 
the individual to do it. If Johns Hopkins goes to HCFA, can HCFA 
under the arrangement that we were discussing release the infor- 
mation of that Medicare patient who happens to live in Minnesota 
to Johns Hopkins? 

Mr. Hash. The short answer is yes. 

Chairman Thomas. And John Hopkins being a reputable univer- 
sity and research structure would — of course you would be pleased 
to enter into an agreement with them? 

Mr. Hash. We would review their proposal as we do all other re- 
search proposals to first see . 
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Chairman Thomas. Careful, Ben is here and so you would review 
it very quickly. 

Mr. Hash. We would definitely review it in an expeditious man- 
ner and ascertain that the proposal, in fact, that the research ques- 
tions being posed are ones that are important to our program, that 
the methodology that the proposal includes is one . 

Chairman Thomas. As young people say, yada, yada, yada. The 
bottom line is, you will release that information to Johns Hopkins 
without the approval of the individual, and if Johns Hopkins tried 
to go through to get it from the State of Minnesota, they would 
have to follow a different procedure. 

Mr. Hash. I have to disagree with one statement you made, Mr. 
Chairman, and that is, we would not release it without the permis- 
sion of the individual. The individual in Medicare has already 
given their authorization for the use of these data to advance the 
program. 

Chairman Thomas. Let me see, I believe the trigger was you 
won’t get Medicare benefits if you don’t sign this sheet. 

Mr. Hash. I don’t believe so, Mr. Chairman. We have a variety 
of notices out there that when people sign up that indicates that 
there is a possibility that we would use personally identifiable 
data. 

Chairman Thomas. What is the turn-down ratio of Medicare ben- 
efits to people who refuse to receive Medicare benefits because they 
won’t sign the release data? 

Mr. Hash. I am not aware that there are refusals, Mr. Chair- 
man. 

Chairman Thomas. Well, all right, we can go around all night on 
this if you want to. The answer you have given me, once you filter 
all of the procedure, is Minnesota will not release that information 
to Johns Hopkins unless the individual person signs off or it goes 
through a very elaborate three-denial check procedure. 

Johns Hopkins can come and get it from HCFA without the pa- 
tient’s knowledge, and in fact, although I know Johns Hopkins 
wouldn’t do it, based upon my earlier questions, Johns Hopkins 
could provide the information, if they were someone other than 
Johns Hopkins, to somebody else and unless it was done naked, 
high noon in the town square, by the way you detect transfer of 
information, cruising the net, you wouldn’t know that it was trans- 
ferred. 

So all I am saying is it makes it very difficult for me to sit here 
and listen to you talk about building a floor and let the States go 
beyond the floor and have a structure that makes any sense at all 
because, as the sovereign, you are looking at the world, in my opin- 
ion, slightly differently than a private sector operation as reputable 
as Johns Hopkins in terms of its ability to get information. 

I understand why you are not concerned, you are the sovereign, 
but this information is essential and I might say in fact more valu- 
able in some of the private research activities in which the only 
way they are able to get the information is to hide behind you, the 
sovereign. 

So when you talk about building a floor and letting States go be- 
yond it, I think it gets kind of hypocritical when in fact that same 
entity can come to you and get the information they couldn’t get 
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from a State. It doesn’t make a whole lot more sense to build a uni- 
form system that protects in a uniform way and that lets folks opt- 
out in areas where there is general agreement that it is necessary 
to allow under the police powers of the State protections for those 
purposes, but otherwise a uniform, structured, secure, confidential, 
preemption arrangement is the better way to go. 

Gentleman from Maryland I know wants to inquire, and let me 
say before that, I am sorry he is no longer on the Subcommittee. 
I know he had to make a choice and under Democratic rules he be- 
came a powerful Ranking Member on another Subcommittee, and 
we don’t have him here, but it is a pleasure to have him. 

Mr. Cardin. Well, thank you, Mr. Chairman, and let me thank 
you for your publicity on Johns Hopkins. I should point out it is 
my understanding that Johns Hopkins has a request before NIH 
for a research project related to dentistry. So I expect to get my 
friend from Wisconsin and my friend from California sponsoring 
that. 

Let me, if I might, try to follow through on some of these ques- 
tions. 

In regards to individually identified medical records you are 
guided by the Privacy Act of 1974, I assume, and I have just tried 
to quickly read that statute and find that the language used there 
is significantly different than the language we are using here. 

I don’t see, for example, fraud and abuse or quality assurance or 
research or public health spelled out the same way that we gen- 
erally have used those terms, but I assume you believe there is 
statutory authority within the Privacy Act of 1974 to release indi- 
vidually identified medical records for those particular purposes. 
And I guess my question to you is, we have been sort of dancing 
around this a bit, but if you were to be required to comply with 
State law and if the States had requirements for individual author- 
ization for some of these uses, or a requirement that you individ- 
ually notify the beneficiary of a request for information and an op- 
portunity to opt-out without any further sanction to their Medicare 
benefits, is that workable for HCFA? Can you implement that? Is 
it costly to implement, and do you think that is good policy? 

Mr. Hash. Well, with regard to the last set of questions, Mr. 
Cardin, we do have a procedure on research protocols that involves 
contacting individual beneficiaries that gives them the prior right 
to indicate that they do not want to participate in such research 
protocols. 

Mr. Cardin. How fast can you implement that? Is that a pretty 
fast procedure? 

Mr. Hash. It is a pretty fast procedure. It usually involves a re- 
searcher who wants to draw a sample of our beneficiaries to con- 
tact them for some purpose that is outlined in their research pro- 
posal, and what we do is once we identify a sample, we actually 
write individual letters to them and give them this information 
about the opportunity to opt out if they do not wish to participate 
in it. 

Mr. Cardin. All right. 

Chairman Thomas. Will the gentleman yield briefly? Even Min- 
nesota has a three follow-up kind of self-enacting operation. What 
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does HCFA have if you write the letter and there is no response 
to the answer? 

Mr. Hash. We write the letter and then we require the re- 
searcher to wait a minimum of 10 days before contacting and then 
contact and reinquire as to whether the individual wants to partici- 
pate or not, even though they have not replied to the letter they 
got from us. 

Mr. Cardin. If they don’t reply, then that is assumed to he you 
can’t release the information? 

Mr. Hash. This is a case again of, Mr. Cardin, when an indi- 
vidual beneficiary is contacted by a researcher who wants to inter- 
view them. 

Mr. Cardin. If you don’t get notification, they don’t reply, can 
you use the records or not, if the beneficiary doesn’t respond? 

Mr. Hash. The researcher then may contact them and put the 
question again. 

Mr. Cardin. And there is still no response? 

Mr. Hash. They contact them directly, you know, orally, by tele- 
phone or by visit. 

Mr. Cardin. So you need to get written authorization before you 
release under that circumstance? 

Mr. Hash. I don’t know that it requires a written release, but 
you have to get the authorization of the individual. 

Mr. Cardin. How do you know if you don’t have it in writing? 

Mr. Hash. I don’t have an answer for that, Mr. Cardin, but I 
think — well, except I think in the research protocol we actually ask 
them to document the records about how they contacted the sam- 
ple. 

Mr. Cardin. Mr. Hash, my time is running out. I really want to 
get an answer to this. 

We don’t know what the States could enact in this area. They 
could enact restrictions on your ability to use samples for fraud and 
abuse for all we know because of their protection on the individ- 
ual’s right of privacy, which is important. My question to you is, 
if the State of Maryland enacts a law that says you can’t release 
information for fraud and abuse without specific authorization 
signed by the beneficiary, do you think that is a good policy to ad- 
here to whatever the States indicate is the right policy on release 
of medical records? 

Mr. Hash. I would hope that that kind of a policy would be built 
into the Federal floor that we are talking about, and therefore, if 
there were a conflict with Maryland law, that the Federal floor 
would obviously prevail there, but it is a question of designing the 
requirements in a sound way in the Federal floor to make sure we 
speak to those kinds of things. 

Mr. Cardin. We are in complete agreement there, and I expect 
there would be a cost associated, as I think you have already re- 
sponded, to trying to comply with 50 different State standards as 
it relates to notice to the beneficiary and authorization and opt- 
outs or things like that. There has got to be a cost associated with 
that. 

Mr. Hash. As I said, I think we need to address those issues in 
the context of what we require as a kind of uniform standard 
across all States. 
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Mr. Cardin. And one last point, if I might, and that is that you 
said you were complying with the States to the extent possible. I 
was just handed the Maryland — someone compiled a book of all the 
different regulations — and in Maryland we have a requirement 
that insurers cannot disclose information except under a set of 
standards on release of information. Do you comply with the Mary- 
land rules on disclosure of information currently? 

Mr. Hash. I am not familiar with what the Maryland rules are, 
Mr. Cardin, but I would assume they follow the same kind of proce- 
dures that we follow under the Privacy Act, but I think . 

Mr. Cardin. They are different. I am trying to match them up, 
and they are clearly different standards. There are some areas that 
are covered here that are not covered in the Privacy Act. Some in 
the Privacy Act are not covered here. 

Mr. Hash. We follow the Privacy Act. 

Mr. Cardin. So you don’t follow the Maryland general law on dis- 
closure of medical information by insurers? 

Mr. Hash. I just would like to reserve the right to review the 
Maryland law and see whether, in fact, we do or don’t. But without 
saying that, I am certain that we don’t. 

Mr. Cardin. Is there a conscientious effort to review the laws of 
the 50 States to try to comply with their privacy acts? 

Mr. Hash. Not to my knowledge, Mr. Cardin, no. But when it is 
brought to our attention that someone asserts under a State law 
a particular right or privilege, obviously that would trigger our look 
at it and to see if there was a way that we could work with the 
State and the individual to work through that in a satisfactory 
manner. But as the Chairman points out, there is always a ques- 
tion of trying to balance the important rights of individuals to con- 
fidentiality and important rights of the State. 

Mr. Cardin. Well, I agree with your point and just appreciate 
your comment. We need to adopt adequate national standards in 
this area. I agree with the gentleman. 

Chairman Thomas. I thank the gentleman. Where is HCFA’s 
headquarters? 

Mr. Hash. In Baltimore, Maryland. 

Chairman Thomas. I thank the gentleman. 

Gentlewoman from Connecticut wishes to do a follow up? 

Mrs. Johnson of Connecticut. Thank you, Mr. Chairman. 

I just wanted to go back to the issue of privacy. Under current 
practice at HCFA, do you routinely release individually identifiable 
health information to these contractors? I am talking about the 
payor contractor. I am talking about this 1,400 or so other people. 

Mr. Hash. Researchers or other government agencies that have 
data use agreements with us, we do not routinely release individ- 
ually identifiable data. It must go through the kinds of evaluation 
that I have outlined that are in our testimony before we do it. So 
we have a set of procedures to go through to determine when we 
will release. 

Mrs. Johnson of Connecticut. When do you ever need to release 
individually identifiable data? I can see why you would need to re- 
lease disease and symptoms and treatment data, but why would 
you have to have the person’s name? 
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Mr. Hash. Well, for example, if we are engaged in an activity of 
collecting a third party liability, coordinating our benefits and try- 
ing to identify if the individual has another insurance policy that 
is liable . 

Mrs. Johnson of Connecticut. I consider that a payment prob- 
lem. 

Mr. Hash. OK. Within the context of research itself, there can 
be research projects — and I would defer to Dr. Hamburg here who 
is much more skilled in the research area than I am, but there can 
be research projects that advance our knowledge in terms of pay- 
ment systems and how to do it more accurately or in terms of qual- 
ity oversight that could require the use of personally identified in- 
formation, but the presumption that we use at HCFA is that we 
start with the notion of trying to ascertain whether or not the re- 
search can be conducted successfully without personally identified 
information. That is where we start from, and only as a last resort 
do we agree to release personally identified information. 

Ms. Aronovitz. I might be able to offer one example. It would 
be a longitudinal study, for instance, where you are looking at a 
particular person over time and looking at their health status over 
time. You might want to be able to identify that person and their 
records. 

Mrs. Johnson of Connecticut. And that person has no right not 
to participate in that study? HCFA does not have to notify them 
that their data are going to be used on a longitudinal study? 

Ms. Aronovitz. This is going to sound a bit bureaucratic, but in 
fact the person has been notified through the routine use condi- 
tions of disclosure that HCFA has in terms of guiding whether it 
can give out information to researchers. 

Mrs. Johnson of Connecticut. I am interested that there are rou- 
tine situations in which you would release somebody’s personally 
identifiable information outside of HCFA. I mean, I understand for 
your payment system, but it seems to me that — and I don’t know 
what percentage of these use agreements involve the release of in- 
dividually identifiable information. Do you have any? Any of you 
have any comment on that? Whether it is most of them or — . 

Mr. Hash. No. I think — as I say, I think our presumption is ei- 
ther to provide aggregated data whenever we can or at least 
encrypted data that is stripped of any individual . 

Mrs. Johnson of Connecticut. I appreciate that. The thing is, you 
know, how many of your agreements provide individually identifi- 
able and how many provide encrypted data. 

Mr. Hash. I would be happy to try to see if I can provide that 
for the record. 

Mrs. Johnson of Connecticut. I think we need to know that, be- 
cause I think in any bill we need to directly confront this issue, and 
I personally think the burden is on us to make the case that we 
wouldn’t have to get permission. 

[The following was subsequently received:] 

As of July 21, 1999, there are 4,377 data use agreements in effect. Of these, 2,924 
involve identifiahle data and 1,453 involve encrypted data. The majority are with 
government agencies and researchers under contract to do work for the government; 
only 515 are not with Federal or State agencies or researchers under contract to 
such agencies. 
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Data Use Agreement (DUA) Statistics 


DU As Currently in Effect As of 7/21/99: 4,377 


Total Currently In Effect Involving Identifiable Data: 2 ,924 


Total Currently In Effect Involving Encrypted Data: 1,453 


DUAs Initiated Within Last Year (1998-Current): 

1,911* 

Total Identifiable: 

1,261 


Total Encrypted: 

650 



DUAs Initiated Within Last 5 Years (1994-Current): 5,167* 

Total Identifiable: 3,950 

Total Encrypted: 1,217 

*NOTE: Includes all DUAs initiated in the time period, both 
those currently in effect and those that have lapsed. 


DUAs In Effect Involving Identifiable Data by Category of Requestor 


Category 


HCFA* 

563 

DHHS* 

864 

Other 

982 

Government 


Agency* 


Non- 

515 

Government 


TOTAL 

2,924 


^Including contract researchers 
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Mr. Hash. Let me say if I may, Mrs. Johnson, that another thing 
that comes to mind in terms of where an individual identifier 
might he necessary in a research project, is when someone might 
be trying to answer questions related to how people were treated 
across different settings where there are different data systems 
with the claims information, and the only way to access that data 
across the different settings, whether it is in-patient, hospital or 
outpatient or home health or skilled nursing, is by being able to 
have the identifier that can link the claims for an individual so 
that you can actually see what happens to the patient from a hos- 
pital episode to an outpatient episode to a home health episode and 
answer some research questions associated with appropriate types 
of care. 

So that is an example of where, in order to access the data on 
services that an individual has actually received, you can’t get it 
unless you have an identifier number that links that data to a spe- 
cific individual. 

Mrs. Johnson of Connecticut [presiding]. I think it is very con- 
cerning that people would not know when these data were going 
to be used, that, you know, agreements that you have literally no 
control over, you just really can’t control the number of agreements 
you are going to have, and really this gives no privacy protection 
for Medicare participants when your agency has allowed access by 
a researcher to their files. 

So I think that we are not going to solve this here, but I think 
as we move through this bill — I mean, when I look at the battle 
that went on in H.R. 10 around privacy issues, health issues infor- 
mation is just so much more important to people individually that 
I think we are going to have to deal with this up front and clean, 
and we can’t sort of mask it behind HCFA’s judgment. At a certain 
point, if your information is going to be released with your name 
identified to it . 

So, anyway, we need to move on to the next panel, but you get 
the gist of my concerns. 

Mr. Kleczka. I was waiting for the second round. 

Mrs. Johnson of Connecticut. Briefly. They want us to move on 
to the next panel because some of them have to leave. 

Mr. Kleczka. I agree with the gentlelady that where to draw 
that line is going to be very difficult for this Subcommittee and for 
this Congress. Ms. Hamburg, in your testimony you talked about 
the public responsibility. I agree with you that an individual’s pri- 
vacy and medical privacy can never be absolute. From the dialog 
that we have been listening to, some people are stating there is an 
absolute right for all these other entities and I am saying that is 
clearly wrong. I would rather err on the side of personal privacy 
than going that way. 

The gentlelady just referenced the bill we had before the House 
the other day on banking modernization, H.R. 10. I am sure you 
are aware of the controversy as it pertains to medical records in 
that bill. Do you want to comment on that and also briefly com- 
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ment on this whole question of preemption? I am getting very con- 
fused here. 

First of all, we are told by the majority party that we have to 
defer to State rights because that is where all the knowledge and 
the power is. As a former legislator in the State of Wisconsin, I to- 
tally disagree with that. But, nevertheless, if they say so, maybe 
it is true. 

The Senate debated the Patients’ Bill of Rights and, they argued 
that the States have to be recognized in their ultimate power over 
the rights of patients in medical care, and so the Senate only ad- 
dressed the ERISA plans that cut down by almost two-thirds the 
number of people covered by that bill. 

Now on the other side of the Capitol, when it comes to medical 
privacy, the arguments is be damned with States’ rights because 
we are the all-powerful and knowing. 

And so I am saying, Mrs. Johnson, to you and your Republican 
colleagues, make up your mind so I can get on the same script with 
you. I want to be helpful, but if States should have rights, let us 
do so. If States shouldn’t have rights, I might buy into that pro- 
gram, but we can’t have it both ways depending on the issue. The 
inconsistencies are abundant. 

Dr. Hamburg, would you want to respond — not to that last point, 
but to the previous point on the modernization bill? 

Dr. Hamburg. On H.R. 10? 

Mr. Kleczka. H.R. 10 and the preemption issue. Those are two 
big issues here. 

Dr. Hamburg. Starting with the preemption issue, I think obvi- 
ously, as the discussion today has indicated and many other discus- 
sions in recent months, it is a very complicated issue. And as a rel- 
ative newcomer to Washington and somewhat naive, I have to say 
that I was originally confused about where people were lining up 
on this issue. But I think that what we do all agree on is that there 
is a need for a strong and comprehensive set of national protections 
for privacy of health care information and that we need to be very 
thoughtful about what those are. We need to reflect many of the 
kinds of concerns discussed today, but we need a strong and com- 
prehensive set of national standards. 

We think that, given how rapidly medical issues and technology 
are changing, how different certain States are in terms of the de- 
mographics and patterns of disease, and given that different States 
are in different places in terms of confidentiality and privacy pro- 
tection laws at the present time, we don’t want to put a straitjacket 
on States so that they can’t be innovators and so that they cannot 
adapt to the unique needs of their States and their citizens, but I 
think we all absolutely agree on the need for a comprehensive set 
of national standards that have both breadth and depth to address 
the kind of concerns we are talking about today. 

With respect to H.R. 10, we think that the issue of medical pri- 
vacy is sufficiently important and complicated that it should really 
be dealt with in a piece of legislation that is targeted to the issue 
of medical privacy and that it is a mistake to try to address it in 
a piecemeal fashion or as a rider to another bill. We would really 
be best served not to try to tinker with that, but instead to strike 
it all together and focus on this important set of issues through a 
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piece of legislation that targets directly the issues we are dis- 
cussing today. 

Mr. Kleczka. Thank you very much. 

Mrs. Johnson of Connecticut. I thank the panel for your testi- 
mony and we appreciate you being here this afternoon and let me 
call the next panel. 

Paul Clayton, Richard Smith, Janlori Goldman and Thomas Jen- 
kins. The Chairman will be returning as soon as possible, but we 
will proceed. 

Good afternoon. We will start with Paul Clayton, Ph.D., Senior 
Informaticist, Intermountain Health Care, Salt Lake City, on be- 
half of the American Hospital Association. Please proceed. Dr. 
Clayton. 

STATEMENT OF PAUL D. CLAYTON, PH.D., SENIOR 

INFORMATICIST, INTERMOUNTAIN HEALTH CARE, SALT 

LAKE CITY, UTAH, ON BEHALF OF THE AMERICAN HOSPITAL 

ASSOCIATION 

Mr. Clayton. I am Paul Clayton of Intermountain Health Care, 
and I am also President of the American Medical Informatics Asso- 
ciation, a member of the health privacy working group whose re- 
port was released last week, and I chaired the National Research 
Council’s 1997 study “For The Record: Protecting Electronic Health 
Information.” 

I am here today on behalf of the American Hospital Association, 
its 5,000 hospitals, health systems and other providers. The AHA 
supports strong Federal legislation establishing uniform national 
standards for all who use protected health information, with strong 
penalties for inappropriate use. Our comments today focus on how 
hospitals use and protect patient information. Our longstanding 
confidentiality principles cover a broader range of critical patient 
privacy issues, and I have attached them to my written statement. 

People who make these decisions affecting the health of patients 
must know about the medical and family history, allergies to drugs, 
previous diagnostic results, current medications, previous surgeries 
or therapies and chronic problems. Access to this information dra- 
matically affects the level of care that can be provided. 

For the past 14 years, IHC has used clinical data systems to sub- 
stantially improve patient care. Here are four examples. 

First, for inpatient prescriptions, a computerized order entry sys- 
tem warns physicians of potential allergies and drug-to-drug inter- 
actions and calculates the ideal dose levels. That dose system has 
reduced adverse drug reactions by two-thirds. 

Second, improved management of mechanical respirators for pa- 
tients with acute respiratory distress syndrome. In these most seri- 
ously ill patients, mortality rates fell from 90 to 60 percent. 

Third, improved management of outpatient diabetic patients. The 
proportion of patients brought to normal blood sugar levels im- 
proved from less than 30 percent to more than 70 percent. 

And, fourth, accountability for our performance. IHC assembles 
and reports medical outcomes, patient satisfactions and cost out- 
comes for major clinical processes. 

These examples are all successful because patient identifiable in- 
formation flowed smoothly among the providers that needed it. 
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Two provisions in various proposals could stem that appropriate 
flow of information. The first is an opt-out where patients could 
pick and choose which health information providers could see. This 
mosaic of access restrictions could greatly hinder our ability to 
render care. For example, when a patient seeks care within our 
system, IHC laboratory analyzers feed the patient’s blood tests di- 
rectly into our computers. This improves our ability to make accu- 
rate results immediately available, but it also necessarily elimi- 
nates our ability to process laboratory tests without using the elec- 
tronic medical record. 

Second, while we strongly support the development of policy to 
restrict access privileges, we are concerned that some proposals 
would require providers to limit the scope of disclosures to the min- 
imum, however that is defined, amount necessary for the specific 
purpose at hand. This means providers must repeatedly predict the 
exact present and future implications for every piece of informa- 
tion. The intellectual effort needed to ensure each person’s compli- 
ance becomes overwhelming. 

I have reviewed how we use patient information to improve care, 
and now I would like to review how we protect the information. 
Every employee, health care professional, researcher or volunteer 
must sign an agreement that they will only look at or share infor- 
mation for specific legitimate purposes of performing their health 
care delivery assignment. Each new employee undergoes training 
in IHC confidentiality policies which are set forth in a manual of 
more than 60 pages. We impose consequences, including termi- 
nation, for improper use or handling of confidential information. 
We use audit trails to monitor and access the electronic patient 
records. In the electronic format, we are able to separate patient 
identifiers from the rest of the clinical record, and we require for- 
mal review, approval and oversight of research that uses patient 
data. 

Let me conclude by saying that the technology to protect patient 
information is available, but without a Federal mandate there is 
little incentive to make such an investment. We urge Congress to 
enact legislation that will help hospitals, physicians, nurses and 
others coordinate care and improve quality and, at the same time, 
protect our patients’ medical information from misuse. 

Thank you. 

[The prepared statement and attachment follow:] 

Statement of Paul D. Clayton, Ph.D., Senior Informatieist, Intermountain 

Health Care, Salt Lake City, Utah, on behalf of the American Hospital As- 
sociation 

Mr. Chairman, I am Paul D. Clayton, PhD, senior informatieist at Intermountain 
Health Care (IHC) in Salt Lake City, UT. IHC is an integrated health care delivery 
system that operates in Utah, Idaho and Wyoming. The IHC system includes 23 
hospitals, 78 clinics and physician offices, 23 outpatient primary care centers, 16 
home health agencies, and 400 employed physicians. In addition, our system oper- 
ates a large Health Plans Division with enrollment of 475,000 directly insured, plus 
430,000 who use our networks through other insurers. 

I am testifying today on behalf of the American Hospital Association (AHA), which 
represents nearly 5,000 hospitals, health systems, networks, and other providers of 
care. We appreciate this opportunity to present our views on an issue important to 
hospitals, health systems, and the patients they serve: the confidentiality of pro- 
tected health information. 
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Protecting Patients’ Trust 

Every day, thousands of Americans walk through the doors of America’s hospitals. 
Each and every one of them provides caregivers information of the most intimate 
nature. They provide this information under the assumption that it will remain con- 
fidential. It is critical that this trust be maintained. Otherwise, patients may be less 
forthcoming with information about their conditions and needs-information that is 
essential for physicians and other caregivers to know in order to keep people well, 
ease pain, and treat and cure illness. 

If caregivers are not able to obtain and share patients’ medical histories, test re- 
sults, physician observations, and other important information, patients will not re- 
ceive the most appropriate, high-quality care possible. 

Our members consider themselves guardians of this information. That is why 
AHA has long supported the passage of strong federal legislation to establish uni- 
form national standards for all who use patients’ personal medical information-what 
we refer to as protected health information. We have been asked to focus our com- 
ments today on how hospitals use and protect patient information to enhance the 
quality of the patient care they deliver. Our longstanding principles for the confiden- 
tiality of health information cover a broader range of critical patient privacy issues, 
and we have attached them for your information. We will measure any federal pri- 
vacy legislation against these principles in their entirety. 

Confidentiality of health information is an issue that affects all of us personally. 
We live in a time of rapidly advancing technological improvement, when the world 
seems to get smaller as computers get more powerful and databases get bigger. This 
technological change can be positive — it has led to significant improvements for both 
health care providers and their patients — but it worries people who are justifiably 
concerned about how information about them will be used. 

In health care, we must take the steps necessary to protect that information from 
those who would misuse it. We need strong, uniform federal legislation to do it. 

First and foremost, because we as hospitals and health systems put our patients 
first, we must restore and maintain people’s trust in the privacy and confidentiality 
of their personal health information. Federal legislation can do this by establishing 
a uniform national standard for the protection of this information — including genetic 
information — a standard that balances patient privacy with the need for information 
to flow freely among health care providers. 

Privacy and Health Care Operations 

Health care is increasingly provided by groups and systems of providers, as op- 
posed to individual providers. These new systems create opportunities for real im- 
provements, but they rely heavily on a free flow of information among providers. 
Patient confidentiality is of the utmost importance. But in order to ensure that care 
can be coordinated and the patient’s experience is as seamless as possible, informa- 
tion must be accessible to all providers who treat the patient. 

There is very little disagreement that access to information is important in the 
delivery of care to patients, and in the system of payment for that care. Controversy 
has developed, however, over the definition of “health care operations” — those essen- 
tial functions performed by providers to ensure that they maintain and improve the 
quality of the care they deliver, train current and future caregivers, and adhere to 
the laws and regulations that govern these daily activities. AHA believes that pro- 
tected health information must be available to providers so that these functions can 
be performed efficiently and effectively. 

Information Breeds Health Care Success Stories 

At IHC, we believe, as does the AHA, that individuals who are making decisions 
that affect the health of another person must know about past medical and family 
history, allergies to drugs, previous diagnostic results, current medications, previous 
surgeries or therapies, and chronic and acute problems. Because the primary care- 
giver is not present all the time, because others are asked for consultive opinions, 
and because humans have limited memory, access to medical record information 
dramatically affects the level of care that can be provided. In some cases, the ab- 
sence of information increases the cost of diagnosis and treatment by causing tests 
to be repeated because the results of an earlier tests are not available. 

Among the benefits of improved access are an enhanced ability to generate bills 
and collect payment, and to transmit information to payers and analyze the costs 
of providing care. Care is also improved when a caregiver has access to the medical 
record. A physician or other health care worker who knows what drugs a patient 
is taking, a list of previous problems, a history of family predisposition to certain 
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illnesses, and current laboratory results, will make better decisions about how to di- 
agnose and treat a patient. 

At IHC, we have, for the past 14 years, used clinical data systems to substantially 
improve patient care in a wide range of circumstances. Here are a few examples. 

• Improved timing of delivery of pre-operative antibiotics to prevent serious post- 
operative wound infections. Our wound infection rate fell from 1.8 percent to 0.4 per- 
cent, representing, at just one of our 23 hospitals, more than 50 patients per year 
who now do not suffer serious, potentially life-threatening infections. We also saved 
the cost of treating those infections, which, at that hospital, was estimated at 
$750,000. 

• Improved support for inpatient prescriptions. A computerized order entry system 
warns physicians, at the time they place the order, of potential allergies and drug- 
to-drug interactions. It also calculates ideal dose levels, using the patient’s age, 
weight, gender, and estimates of patient-specific drug-absorption and excretion 
rates, based on laboratory values. That system has reduced allergic reactions and 
overdoses by more than two-thirds. 

• Improved management of mechanical respirators for patients with acute res- 
piratory distress syndrome. In the most seriously ill category of these patients, mor- 
tality rates fell from more than 90 percent to less than 60 percent. 

• Improved management of diabetic patients in an outpatient setting. The propor- 
tion of patients brought to normal blood sugar levels improved from less than 30 
percent to more than 70 percent. Major studies of diabetes demonstrate that this 
kind of shift in blood sugar translates to significantly less blindness, kidney failure, 
amputation and death. Others indicate it should reduce the cost of treatment for 
diabetes patients by about $1,000 per patient per year. 

• Improved treatment of community-acquired pneumonia. By helping physicians 
more appropriately identify patients who needed hospitalization, choose appropriate 
initial antibiotics, and start antibiotic therapy quickly, we were able to reduce inpa- 
tient mortality rates by 26 percent. That translates into about 20 lives saved at 10 
small rural IHC hospitals when we first worked on this aspect of care. It also re- 
duced costs by more than 12 percent. 

• Accountability for health care delivery performance. IHC has begun to assemble 
and report medical outcomes, patient satisfaction outcomes, and cost outcomes for 
major clinical care processes that make up more than 90 percent of our total care 
delivery activities. We aggregate and report those data at the level of individual 
physicians; practice groups; hospitals; regions; and for our entire system. We use the 
results to hold each health care professional and our system accountable for the care 
we deliver to our patients, and to set and achieve care improvement goals. We be- 
lieve that this system will eventually allow IHC to accurately report our perform- 
ance at community, state and national levels, and help individuals and groups make 
better health care choices. 

All of the examples above were successful because patient information — not just 
individual patient information, but also information about populations of patients — 
was available, and flowed smoothly among the providers that needed it. 

Potential Disruptions to the Free Flow of Information 

There are two provisions in various patient privacy proposals that could have the 
unintended effect of placing enormous barriers in front of providers’ ability to appro- 
priately use information for these and similar purposes. 

The first is what has been referred to as the “opt out,” where patients would have 
the ability to prevent providers from sharing the patient’s information regardless of 
how important such a disclosure might be. 

The problem with such an opt out is that it sacrifices hospitals’ ability to deliver 
high-quality care to the individual involved, as well as to other patients. For exam- 
ple, IHC’s laboratory analyzers feed directly into our computer system. When we 
committed to that link, we not only significantly improved our ability to deliver ex- 
cellent care to all of our patients, but also necessarily lost our ability to process 
blood laboratory tests without using the electronic medical record. 

In addition, a patient who might decide to prevent his or her records from being 
shared among providers is, effectively, reducing the quality of health care he or she 
may receive in the future. This is because, without access to that patient’s records, 
providers simply cannot make well-informed decisions. At the same time, removing 
the patient’s treatment information as a factor in overall health care statistics de- 
grades the overall integrity of the health care information flow. In other words, if 
less is known, less can be learned, and the overall quality of care could be affected. 

The second potential problem we see being discussed is a requirement, included 
in several patient privacy proposals, that providers must limit the scope of medical 
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information disclosures to no more than what is necessary for the specific purpose 
of the disclosure. Penalties would he levied, according to the proposals, presumably 
if too much information were to be provided. 

Health care providers, who deal with a mountain of information every day, simply 
cannot be expected to determine the exact need for every piece of information and 
the exact measurement of information that may be required to meet that need. The 
threat of penalties makes the proposals worse, and is sure to inhibit the free flow 
of important information. In addition, proper safeguards should already be in place 
that would prevent the misuse of patient information, so that requiring providers 
to justify each disclosure would be unnecessary. 

Proper policies and procedures will ensure that patient information is used only 
where it is needed to benefit the health care services provided to an individual pa- 
tient, or to improve the overall health care system through statistics and analysis. 

Safeguarding Patient Information 

IHC and the AHA support strong, uniform federal confidentiality standards that 
buttress our health care delivery and clinical research work. IHC has placed appro- 
priate protection of patient confidentiality and privacy at the forefront of our institu- 
tional values. Those values complement a parallel mission to provide the best pos- 
sible health maintenance and disease treatment to those who trust their care to our 
hands. Achieving this requires the use of population-level patient data as well as 
individual patient data. 

IHC uses enforceable corporate policy to maintain confidentiality not just for pa- 
tients, but for health care professionals and employees as well, in those areas that 
are clearly health care delivery operations (such as direct patient care delivery; bill- 
ing for services; quality review of individual patient records, including mortality and 
morbidity conferences; resource planning; unit performance evaluation; quality im- 
provement and disease management; and retrospective epidemiologic evaluations of 
program performance). The core of these policies and enforcement activities include: 

• We require every employee, health care professional, researcher or volunteer to 
sign a confidentiality agreement stating that they will only look at or share informa- 
tion for the specific purpose of performing their health care delivery assignment on 
behalf of our patients. We require each new employee to undergo training in IHC 
confidentiality policies, which are set forth in a manual that numbers more than 
60 pages and represents more than five years of discussion and cross-testing. 

• We impose consequences — including termination — for improper use or handling 
of confidential information. 

• To the extent that we have implemented an electronic medical record, we are 
able to monitor access to patient records (an ability not available for paper records). 
We use that system as one important method of monitoring and enforcing our con- 
fidentiality policy. We utilize software controls, including warnings on log-on 
screens, unique log-on passwords, and computerized audit trails. In the near future, 
we hope to bring on-line the ability of all patients to review a list of every individual 
who has accessed their electronic medical record for any purpose. 

• We segregate our electronic databases, separating patient identifiers from the 
remainder of the clinical record. Outside of direct patient care and individual record 
review for quality assurance, most health care delivery operations do not require ac- 
cess to identifiable data. IHC’s data access policies regulate access to patient infor- 
mation using strict “need to know” criteria by job description. While we afford tight 
access control to all of our information, the identifiable portion of the record receives 
the highest level of protection. 

• We are studying ways to segregate the core clinical record itself, so that particu- 
larly sensitive information — for example, HIV status, reproductive history, or men- 
tal health status — are only available on a strict “need to know” basis, even to the 
front-line care delivery team. 

In addition, we require full institutional review board (IRB) review, approval and 
on-going oversight for any research project that involves experimental therapy, pa- 
tient randomization among treatment options, or patient contact for research pur- 
poses. Indeed, the IHC system has 12 IRBs, but we do not look to them as our 
sole — or even our primary — means to protect confidentiality. Most of the risks to pa- 
tient confidentiality come in day-to-day care, as physicians and nurses routinely ac- 
cess identifiable patient medical records, both paper and electronic, to deliver care. 
Instead, we rely upon the extensive array of enforceable policies and procedures list- 
ed above. 

If IRB review of each of these health care operations were required, many — if not 
most — of the operational care delivery and health outcome improvements described 
earlier could not function on a day-to-day basis. The volume of review would be 
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staggering, far beyond the capacity of any reasonable system of individual review 
and follow-up oversight. 


Conclusion 

As an integrated health care delivery system, IHC is responsible for the health 
outcomes of the patients who seek care from our system. In order to treat our pa- 
tients and improve the health outcomes of the entire population we serve, we must 
be able to share information among IHC entities — our physicians, our hospitals, and 
our health plans. IHC has developed state-of-the-art electronic medical records and 
common databases to facilitate this communication, to make sure our physicians 
have complete information when treating patients . We have put in place an exten- 
sive array of enforceable confidentiality protections that are constantly updated and 
improved. 

We urge this panel to ensure that confidentiality legislation does not unintention- 
ally prevent the creation of these common internal, operational databases, or limit 
the types of data that can be shared within an integrated delivery system. Such ac- 
tion would severely limit a health system’s ability to measure and improve the 
health care it delivers. 

The outstanding care that physicians, nurses and others deliver at IHC and in 
hospitals and health systems across America relies more and more on coordination 
of care and on effective quality improvement. Individually identifiable health infor- 
mation is integral to such operations, and the free flow of this information — properly 
safeguarded from misuse — is critical to our ability to continue providing high-quality 
health care for patients and communities. 

American Hospital Association 

Principles for Confidentiality of Health Information 

Every day, thousands of Americans walk through the doors of America’s hospitals. 
Each and every one of them provides caregivers information of the most intimate 
nature. They provide this information under the assumption that it will remain con- 
fidential. It is critical that this trust be maintained. Otherwise, patients may be less 
than forthcoming with information about their conditions and needs — information 
that is essential for physicians and other caregivers to know in order to keep people 
well, ease pain, and treat and cure illness. 

If caregivers were not able to obtain and share patients’ medical histories, test 
results, physician observations, and other important information, patients would not 
receive the most appropriate, high-quality care possible. Our members consider 
themselves guardians of this information, which is why AHA has long supported the 
passage of strong federal legislation to establish uniform national standards for all 
who use health information. 

In health care, we must take the steps necessary to protect patients’ confidential 
information from those who would misuse it. We need strong, uniform federal legis- 
lation to do it. 

AHA goals for legislation 

First and foremost, because we as hospitals and health systems put our patients 
first, we must restore people’s trust in the privacy and confidentiality of their per- 
sonal health information. Federal legislation can do this by establishing a uniform 
national standard for the protection of health information — including genetic infor- 
mation — a standard that balances patient privacy with the need for information to 
flow freely among health care providers. The AHA believes that federal confiden- 
tiality legislation must meet the following goals: 

• Allow patients and enrollees access to their medical information, including the 
opportunity, if practical, to inspect, copy, and, where appropriate, add to the medical 
record. Patients have a right to know what information is in their records. This level 
of accountability encourages accuracy and has the added benefit of encouraging pa- 
tient involvement in their care. 

• Preempt state laws that relate to health care confidentiality and privacy rights, 
with the exception of some public health laws. Health care today is delivered 
through providers that are linked together across delivery settings, and in organiza- 
tions that cross state boundaries. AHA believes that the best way to set important 
standards for confidentiality of health information is to do so uniformly — through 
a strong federal law. This law must be both a floor and a ceiling, preempting all 
state laws with which it may conflict, weaker or stronger. Only through such a uni- 
form law can patients’ confidential information be equally protected regardless of 
the state in which they live or travel. 
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• Be broad in its application, covering all who generate, store, transmit or use in- 
dividually identifiable health information, including but not limited to providers, 
payers, vendors, and employers. Patient confidentiality cannot be ensured unless 
standards are applied to all who may have access to their health information. Legis- 
lation should cover all types of individually identifiable health information, includ- 
ing sensitive issues such as substance abuse, mental health, and genetic informa- 
tion. 

• Strike an appropriate balance between patient confidentiality and the need to 
share clinical information among the many physicians, hospitals and other care- 
givers involved in patient care. Care is increasingly provided by groups and systems 
of providers as opposed to individual providers. These new systems create opportu- 
nities for real improvements, but they rely heavily on a free flow of information 
among providers. Patient confidentiality is of the utmost importance. But in order 
to ensure that care can be coordinated and the patient’s experience is as seamless 
as possible, information must be accessible to all providers who treat the patient. 

• Recognize that a hierarchy of need exists among users of health information. 
Access to individually identifiable information is essential for patient care. Such ac- 
cess may also be necessary for provider and health care system efforts to measure 
and improve the quality of care. All internal and external uses of patient informa- 
tion must be evaluated as to whether the use of individually identifiable information 
is justified. 

• To limit its potential misuse, all within the health system should restrict the 
availability of individually identifiable information. Technology is available to do 
this, through encryption, audit trails, and password protection, for example. Another 
method for restricting the availability of individually identifiable information is to 
aggregate information whenever possible. Patients should be assured that unique, 
identifiable information about them is available for their treatment, but that its 
availability for other uses is tightly controlled. 

• Include sufficient civil and criminal penalties to deter inappropriate disclosure 
of individually identifiable information. The level of such sanctions should vary ac- 
cording to, the severity of the violation. At the same time, any penalty imposed 
must take into account good-faith efforts by providers who establish data safe- 
guards, educate employees about complying with these safeguards, and attempt to 
maintain secure recordkeeping systems. 


Mrs. Johnson of Connecticut. Thank you very much, Dr. Clay- 
ton. 

Dr. Richard Smith, Professor of Psychiatry at the Centers for 
Mental Health Services Research, University of Arkansas on hehalf 
of the American Medical Colleges. 

Dr. Smith. 

STATEMENT OF G. RICHARD SMITH, JR., M.D., PROFESSOR OF 
PSYCHIATRY AND MEDICINE, UNIVERSITY OF ARKANSAS 
FOR MEDICAL SCIENCES, ON BEHALF OF THE ASSOCIATION 
OF AMERICAN MEDICAL COLLEGES 

Dr. Smith. Thank you, Mrs. Johnson and Members of the Sub- 
committee. I am Dr. G. Richard Smith from the University of Ar- 
kansas for Medical Sciences, a practicing psychiatrist and director 
of one of the Nation’s largest mental health services research 
groups as well as our college of medicine’s health services research 
program. I am speaking today on behalf of the Association of Amer- 
ican Medical Colleges, the AAMC. 

AAMC strongly supports the general intent of current congres- 
sional efforts to strengthen the protection of individual’s personally 
identified health information from inappropriate and harmful mis- 
use that can lead to discrimination or stigmatization. In the inter- 
est of public health, this protection should take into account the 
need for health services and biomedical researchers to have ready 
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access to archival materials on relevant populations required to 
generate meaningful conclusions regarding the incidents and ex- 
pression of diseases in specified populations, the beneficial and ad- 
verse outcomes of particular therapies and the medical effective- 
ness and economic efficiency of the health care system. 

In attempting to deal with the difficult issues of medical informa- 
tion confidentiality, legislative efforts should be directed toward re- 
quiring the establishment of strong administrative, technical and 
fiscal safeguards to protect the confidentiality, security, accuracy 
and integrity of information that directly identifies an individual. 
Legislation should also specify stiff criminal, civil and administra- 
tive penalties for intentional or recklessly negligent actions that 
violate medical information confidentiality. With such stringent se- 
curity requirements in place, AAMC believes legislation should re- 
frain from attempting to construct elaborate barriers to the rel- 
atively unimpeded flow of medical information that is required for 
the promotion of a comprehensive national agenda medical re- 
search. 

In particular, the AAMC is concerned about secondary research 
which utilizes patients records as research material and does not 
involve interaction with individual patients. For example, mental 
health services research on patient records has established that pe- 
diatric patients treated for attention deficit disorder, or ADHD, 
were far less likely to use and become dependent upon illegal drugs 
during young adulthood than people with ADHD who did not re- 
ceive appropriate information. 

Archival data was also critical to establishing the postmarketing 
safety and effectiveness of drugs. Since many patients with major 
mental illness require long-term medication treatment, the effects 
of chronic use of new drugs cannot be adequately assessed in con- 
ventional premarketing clinical trials. The consequences can only 
be recognized by retrospective study of large populations over pro- 
longed periods of time. Archival data were essential in establishing 
the safety of a new generation of antidepressant drugs on the 
fetuses of mothers who had been receiving these drugs chronically 
for the treatment of depression. 

In sum, access to archival data is critical to assuring the health 
of patients with mental illness, just as with any other medical ill- 
ness. Archival data also help us to identify the relative contribution 
of genetic, environmental and developmental factors related to the 
risk of specific mental disorders in families across generations. 

The uncertainty and predictability of secondary research make 
the applicability and traditional informed consent procedures prob- 
lematic. For secondary research using medical information that is 
individually identified, the AAMC believes a statutory requirement 
of specific authorization would be unwise and could seriously bias 
and therefore undermine the integrity of vital research databases. 
Rather, the Association recommends that all such proposed re- 
search should be reviewed by an institutional review board or 
equivalent mechanism to ensure that research is credible, the need 
for individually identifiable medical information is legitimate and 
the investigators have in place confidentiality policies and proce- 
dures required by statutes. 
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Patients’ confidence in the medical research use of their personal 
medical information would be greatly enhanced by the inclusion of 
a statutory assurance of confidentiality as provided in S. 881, spon- 
sored by Senator Bennett, and H.R. 2470, sponsored by Represent- 
ative Greenwood. Such an assurance would prohibit any unauthor- 
ized attempts to gain access for nonresearch purposes to individ- 
ually identified health information contained in research databases. 

The AAMC strongly supports the position of new Federal infor- 
mation privacy legislation preempting State privacy laws. There is 
a compelling Federal interest in ensuring that medical research is 
facilitated and not hindered by this disorganized patchwork of 
State privacy laws. The AAMC commends this Subcommittee for 
convening this hearing to address the need for confidentiality legis- 
lation and the efforts of Chairman Thomas and Representative 
Cardin in crafting legislation that would enhance security of med- 
ical records. 

This concludes my statement, and I would be happy to answer 
any questions the Committee has. 

[The prepared statement follows:] 

Statement of G. Richard Smith, Jr., M.D., Professor of Psychiatry and Medi- 
cine, University of Arkansas for Medical Sciences, on hehalf of the Asso- 
ciation of American Medical Colleges 

Mr. Chairman and members of the Subcommittee, I am Richard Smith, M.D., Pro- 
fessor of Psychiatry and Medicine at the University of Arkansas for Medical 
Sciences. 1 am a practicing psychiatrist and also conduct mental health services re- 
search. I lead the Centers for Mental Health Services Research at the University 
of Arkansas, which is one of the nation’s largest mental health and services research 
groups, as well as our College of Medicine’s health services research program. I am 
a recent past member of the National Mental Health Advisory Council for the Na- 
tional Institute of Mental Health (NIMH). I also chaired the NIMH Initial Review 
Group for mental health services research, which reviews virtually all of the mental 
health services research grant applications submitted to NIMH. 

I am speaking today on behalf of the Association of American Medical Colleges 
(AAMC). The AAMC represents the nation’s 125 accredited medical schools, nearly 
400 major teaching hospitals and health care systems, more than 87,000 faculty in 
89 professional and scientific societies, and the nation’s 67,000 medical students and 
102,000 residents. 

The AAMC strongly supports the general intent of current Congressional efforts 
to strengthen the protection of individuals’ personally identified health information 
from inappropriate and harmful misuse that can lead to discrimination or stig- 
matization. 

Confidentiality legislation must acknowledge the compelling public interest in 
continuing to ensure access to patient records and other archival materials required 
to pursue biomedical, behavioral, epidemiological and health services research. Med- 
icine has always been, and largely remains to this day, an empirical discipline, and 
the history of medical progress has been created over many centuries from the care- 
ful, systematic study of normal and diseased individuals. From those studies has 
emerged our present level of understanding of the definition, patterns of expression 
and natural history of human diseases, and their responses to ever improving strat- 
egies of diagnosis, treatment, and prevention. In particular, health services re- 
searchers continue to depend upon the ready accessibility of archival materials to 
collect the large and appropriately structured and unbiased population samples re- 
quired to generate meaningful conclusions regarding the incidence and expression 
of diseases in specified populations, the beneficial and adverse outcomes of par- 
ticular therapies, and the medical effectiveness and economic efficiency of the health 
care system. Indeed, in the present climate of major public concern about the costs, 
quality, and efficiency of our rapidly changing health care delivery system, the need 
to support and promote such retrospective epidemiological and health services re- 
search has become an urgent priority. 

The AAMC strongly believes that in attempting to deal with the difficult issues 
of medical information confidentiality, the most feasible and effective approach is 
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not to erect costly and burdensome new barriers to accessing medical information 
required to conduct research. Rather, legislative efforts should be directed, as most 
of the current proposals attempt to do, toward requiring the establishment of strong 
administrative, technical and physical safeguards to protect the confidentiality, se- 
curity, accuracy and integrity of information that directly identifies an individual. 
Included among these safeguards should be strong institutional policies of confiden- 
tiality, which might appropriately meet federal standards to be developed. To com- 
plete the “security package,” legislation should specify stiff criminal, civil, and ad- 
ministrative penalties for intentional or recklessly negligent actions that violate 
medical information confidentiality. With stringent security requirements of this 
kind in place, the AAMC believes that legislation should refrain from attempting 
to construct elaborate barriers to the relatively unimpeded flow of medical informa- 
tion that is required for the promotion of a comprehensive national agenda of med- 
ical research. 

Given the substantial penalties contained in the confidentiality bills now in draft 
or under consideration, it is imperative that bills’ definitions be crafted with great 
clarity. Of particular importance is the definition of “individually identifiable health 
information,” the class of medical information most in need of protection from inap- 
propriate disclosure and harmful misuse, and correspondingly of “non-individually 
identifiable health information,” the class that would fall outside the purview of con- 
fidentiality legislation. The AAMC believes that the protected class of medical infor- 
mation should be sharply circumscribed and limited to “information that directly re- 
veals the identity or provides a direct means of identifying an individual.” Such a 
definition is least ambiguous and incorporates the sum and substance of the infor- 
mation that the public is most concerned to protect. 

Correspondingly, the definition of “nonidentifiable health information” should en- 
compass “information that does not directly reveal the identity of an individual.” 
This definition should explicitly include coded or encrypted information (sometimes 
called “anon3Tnized”), whether or not the information is linkable to individuals, as 
long as the encryption keys are secured and kept separate from the encrypted infor- 
mation itself. The justification for including encrypted, linkable information in the 
definition of nonidentifiable health information is significantly strengthened by add- 
ing additional provisions that make it a crime to attempt to use encrypted patient 
data to discover an individual’s identity by any means other than the lawful use 
of an encryption key. 

The AAMC believes that a set of properly constructed definitions of protected 
health information and nonidentifiable health information will serve both to foster 
medical research and establish an incentive system for using nonidentifiable health 
information in such research to the maximum extent practical. 

The AAMC is especially concerned about the conduct of secondary research on ar- 
chival patient materials. These studies utilize patient records as primary research 
materials and do not involve interaction with individual patients. In mental health 
services research, for example, secondary research on patient records has estab- 
lished that pediatric patients treated for attention deficit disorder (ADHD) were far 
less likely to use and become dependent upon illegal drugs during adolescence and 
young adulthood than patients with ADHD who had not received appropriate treat- 
ment. Archival data were essential in recently establishing the safety of the new 
generation of antidepressant drugs (selective serotonin reuptake inhibitors) on the 
fetuses of mothers who had been receiving these drugs chronically for the treatment 
of depression. As these examples suggest, archival patient data are critical to estab- 
lishing the post-marketing safety and effectiveness of drugs. Since many patients 
with major mental illness require long-term medication treatment, and the effects 
of chronic use of new drugs cannot be adequately assessed in conventional pre-mar- 
keting clinical trials, the consequences can only be recognized by retrospective study 
of large populations over prolonged periods of time. In sum, access to archival data 
is critical to assuring the health of patients with mental illnesses. 

Archival data can also be useful in identifying risk factors related to the onset 
of a mental illness. For example, there continues to be strong interest in the role 
of genetic factors in the etiology of major mental illnesses such as schizophrenia, 
bipolar disorder, major depression and obsessive compulsive disorder. In seeking 
clues that could help to direct future research in this area, it is critical for research- 
ers to be able to access archival patient care records, for example, of deceased family 
members of patients involved in genetic studies. It is possible that mental illnesses 
that are now not linked in any way might be found to cluster in families in a man- 
ner that suggests a common genetic etiology. Archival data can also help to clarify 
the relative contribution of genetic, environmental and developmental factors re- 
lated to risk of specific mental disorders in families across generations. 
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In contrast to the typical interventional clinical research study, in which research- 
ers directly interact with patients in well-defined protocols and can provide them 
with the detailed information required for informed consent, the uncertainties and 
unpredictability of secondary research make the applicability of traditional informed 
consent procedures problematic. Accordingly, under the provisions of the federal 
Common Rule, such retrospective research has been singled out for special attention 
and, under the criterion that the proposed research is commonly deemed to be of 
no more than minimal risk to research subjects, has typically been handled by Insti- 
tutional Review Boards (IRBs) by use of the expedited review mechanism, or even 
on occasion, by wavier of review. 

For secondary research using medical information that is individually identified, 
i.e. that fall within the definition of protected health information, the AAMC be- 
lieves that a statutory requirement of specific authorization would be unwise and 
could seriously bias, and thereby undermine the integrity of these vital research 
databases. Rather, the Association recommends that all such proposed research 
must be reviewed by an IRB or equivalent mechanism. The reviewing body should 
be required to determine that (1) the organizational setting in which the research 
will be conducted is in conformity with statutory requirements for safeguarding 
medical information confidentiality; (2) the research requires the use of individually 
identifiable patient information and could not be performed without it; and (3) it 
would not be practicable or feasible for the investigators to attempt to obtain indi- 
vidual informed consent from the subject population. Such a review procedure would 
sufficiently protect the privacy interests of the research subjects, while at the same 
time continuing to facilitate the conduct of a broad spectrum of beneficial secondary 
research on archival patient materials. Instead of mandating specific consent for 
secondary research, the Association recommends that IRBs or other equivalent re- 
view bodies should continue to review such research and determine whether specific 
consent is necessary on a project by project basis. 

In addition, AAMC firmly believes that patients’ confidence in medical research 
uses of their personal medical information would be greatly enhanced by the inclu- 
sion of a “statutory assurance of confidentiality” as provided by S. 881 sponsored 
by Senator Bennett and H.R. 2470 sponsored by Rep. Greenwood. Such an assur- 
ance would prohibit any unauthorized attempts to gain access for non-research pur- 
poses to individually identifiable health information contained in research data- 
bases, including Federal, State, or local civil, criminal, administrative, legislative, 
or other proceedings. Consequently, researchers could confidently assure patients 
that all individually identifiable medical information that might be used in the 
course of research would be shielded from forced disclosure to anyone, including 
family members, employers, insurers, health care organizations or legal or judiciary 
processes. 

The “statutory assurance of confidentiality” provision is modeled on the existing 
Certificate of Confidentiality issued by the National Institutes of Health on a project 
by project basis. The origin of the Certificate of Confidentiality dates back to the 
Vietnam War era. Scientists and policy makers were very concerned about the ex- 
tent of heroin use by our soldiers in Vietnam — and the danger that they might be 
permanently addicted when they returned to the United States. Since heroin posses- 
sion was then — and is — a crime, it would have been impossible to enlist the subjects 
necessary to conduct a follow-up study of heroin use in the US by these ex-GIs. The 
grant of confidentiality enabled scientists to track a cohort of former service men, 
to collect urine to screen for drugs, and to conduct detailed interviews. The study 
documented an extremely low percentage of heroin use in the US by former users 
in Vietnam. The Certificate of Confidentiality has been applied to other studies in 
the addictions field, for example, to the studies that demonstrated the effectiveness 
of Methadone substitution therapy for heroin addicts, and it continues to be crucial 
to much clinical research in this area. 

The AAMC strongly supports the argument that new federal legislation dealing 
with medical information privacy be preemptive of state privacy laws, with the ex- 
ception of those state laws dealing with public health reporting requirements, which 
are well established, time tested and closely integrated with the nationwide data 
collection and eyaluation actiyities of the Centers for Disease Control and Preven- 
tion. The Association recognizes that this recommendation is controversial, but ar- 
gues that the support of medical research is a long-established and high priority of 
the federal government, and that there is therefore a compelling federal interest in 
ensuring that medical research is facilitated, and not hindered or blocked by a 
discoordinated patchwork of burdensome state privacy legislation. Much contem- 
porary medical research, especially epidemiological and health services research, re- 
quires access to large, unbiased population samples encompassing many states. Ac- 
cordingly, the Association recommends that any new federal confidentiality legisla- 
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tion should over-ride state laws to ensure consistent nation-wide governance of ac- 
cess to archival patient materials for research. The Association is troubled hy legis- 
lation that allow states to enact tougher privacy laws or carve-out certain disease- 
specific state statutes from federal pre-emption. While acknowledging the sensitivity 
of this issue, we point out that many different diseases are considered especially 
sensitive hy those who suffer from them and their advocates, and to single out a 
particular type of information, such as mental health records, for special protection 
opens a loophole in the intended federal preemption that the AAMC believes would 
prove very difficult to limit. 

The impact of managed behavioral health care on mental health services has been 
profound. The health insurance programs of more than 162 million Americans re- 
quires them to access mental health services through these carve-out companies. 
The major companies offer services across the country. The positive side of managed 
behavioral health care is that it has made parity of health care coverage for mental 
illness a realistic option. In addition, the companies have been able to amass a great 
deal of information on the mental health services being provided to the US popu- 
lation. On the down side, controversies abound regarding the quality of care in some 
managed behavioral health care programs. Health services researchers have a great 
opportunity and responsibility to help the American public to assess the quality of 
mental health services in these programs. This is not an issue that can be stopped 
at a state line. It is critical that managed behavioral health care companies be en- 
couraged to work with the health services research community to assess quality of 
treatment outcomes, and that federal law pre-empt state privacy laws that would 
make this impossible. 

The AAMC commends this Subcommittee for convening this hearing to address 
the need for confidentiality legislation and the efforts of Chairman Thomas and Rep. 
Cardin in crafting legislation that would enhance the security of medical records. 
The Association urges Congress to be mindful of the fact that the facilitation of bio- 
medical, epidemiological and health services research is a compelling public priority 
that has served this nation well and offers bright promise for the future of human 
health. The AAMC strongly believes that the combination of statutory safeguards 
of the security of individually identifiable medical information, stiff penalties for vio- 
lations, and the creation of special protections for medical information that is cre- 
ated in research and maintained in research databases, as we have suggested, make 
it unnecessary to elaborate new, burdensome and potentially chilling restrictions of 
access to medical information for purposes of retrospective non-interventional re- 
search. 


Mrs. Johnson of Connecticut. Thank you very much. 

Ms. Janlori Goldman, Director of Health Privacy Project for the 
Institute for Health Care Research and Policy. Nice to have you. 

STATEMENT OF JANLORI GOLDMAN, DIRECTOR, HEALTH PRI- 
VACY PROJECT, INSTITUTE FOR HEALTH CARE RESEARCH 

AND POLICY, GEORGETOWN UNIVERSITY 

Ms. Goldman. Thank you for inviting me to testify here today. 
I appreciate it. 

As you said, I am the Director of the Health Privacy Project at 
Georgetown University. I have been working on privacy and med- 
ical privacy issues for almost 13 years. What I would like to ask 
is that a revised version of my testimony, a neater version and one 
on disk, be allowed to be submitted for the record at a later date. 

Mrs. Johnson of Connecticut. So ordered. 

Ms. Goldman. Thank you. 

When I started the health privacy project a year and a half ago, 
I tried to position health privacy issues in a way that is a little bit 
different than how we tended to look at it in the past, to see pro- 
tecting privacy as a critical goal to improving the quality of care 
in this country and access to care. We have tended to view these 
as values in conflict, and what we have found in some of our recent 
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research is that protecting privacy is critical to improving health 
care in this country and in opening doors to access. 

In a recent survey that came out in January it was documented 
that one out of every six people in this country withdraw from fully 
participating in their own health care because they are afraid that 
their records will not be protected, so they don’t fully disclose to 
their doctors, they leave information out. Sometimes they pay out 
of pocket to avoid having to file a claim or they don’t seek care at 
all. So the quality of their care is undermined in those cir- 
cumstances, and the information that is available downstream for 
public health and research is also undermined. 

So I truly believe that we need to enact strong privacy legislation 
in order to give the public trust and confidence that this Nation’s 
health care system will protect their privacy. 

You are all well aware Congress has imposed on itself a deadline 
of August 21 to enact comprehensive legislation or the Secretary 
will issue regulations. When we started the Project, we tried to 
identify what is missing in the debate, what contribution can we 
make, and we decided that we would bring together the diverse 
stakeholders in the debate, the health plans, doctors, ethicists, 
mental health advocates, those representing people with AIDS and 
others, to say can we reach outside of the glare of the legislative 
spotlight, can we reach some common ground on a set of best prin- 
ciples for health privacy. 

I had the privilege of working with Dr. Paul Clayton on that 
working group, and I included for you a copy of the working group’s 
principles. I want to just highlight — we released this report last 
week, so we are just in time for the deadline — just a few of the key 
findings that we made. 

We want to reverse the status quo and encourage people to use 
nonidentifiable data wherever they can, and to put in some real 
protections for individuals by having authorization requirements 
that are more meaningful than we heard about in the first panel, 
and to provide some oversight, some accountability for all research 
that is conducted in this country, not just the research that re- 
ceives Federal funds and is covered by the common rule. 

We were able to reach that common ground, and I think we have 
a lot to be proud of, and I hope that Congress will look and see if 
there is some guidance that you can find in this report as you move 
forward. 

The second thing that we did, which we just released this morn- 
ing and which has already been referred to by Congressman 
Cardin, is a report that is a comprehensive survey of the 50 State 
health privacy laws. That has never been available until today. 
And so when the question was asked earlier, well, do you comply 
with the 50 State laws, the truth is no one has known what they 
are. So today we released this report. 

We have a summary of every State’s law. You can look at your 
State of Connecticut, you can look at your State of Wisconsin and 
say what protections are provided to our citizens. And so when you 
are looking at this issue of preemption, which is one of the most 
controversial issues in the debate, you can say, what would be the 
impact on my State’s law? What has my State done in moving for- 
ward to protect privacy? 
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Now, one of the things that we found in our State report, which 
I think is very important, the State law in this area is not simple, 
and it is not easy to find, which is why it took us so long and so 
many people to put this together. There is a lot of law, and it exists 
in the nooks and crannies of the States’ code. There are very few 
examples, although Wisconsin is a shining exception, of comprehen- 
sive law. There are very few States that have enacted comprehen- 
sive health privacy law. They tend to legislate by entity. They 
might have restrictions on hospitals, health plans or doctors, but 
they don’t tend to take a very comprehensive view. But what the 
States have done in a very, I think, responsive and responsible 
way, is to enact condition-specific rules. So for people, for instance, 
who want to seek genetic testing, for people with mental illness or 
communicable disease, the cancer registries and other kinds of dis- 
ease registries, the States have been very responsive to protecting 
the needs of their citizens in those areas. We need to be cautious 
and look at those laws before we talk about creating a Federal ceil- 
ing. 

What we also found is that some of the State laws are weak and 
some are strong, but they are for the most part very detailed and 
nuanced. I want to make a final point about the State laws. When 
we talk about uniformity, and this is the big discussion we are all 
having, how do we create uniformity. I think we all agreed that in 
this complex, health care environment with managed care and inte- 
grated health data networks, we all need uniformity to have good 
quality care in this country. The question is if we set the bar high 
enough at the Federal level, in other words, if we enact strong 
enough protections at the Federal level so that we don’t have to 
worry about wiping out stronger laws that already exist at the 
State level, we don’t have to worry about passing or enacting a 
Federal ceiling, because we will have done the best that we can do 
to create a baseline of protections for people in this country. 

I think we want to be very careful and respect what the States 
have already done. The States have been very responsive. We don’t 
want to tie the hands of the State in being able to respond to fu- 
ture public health threats. Many of the State laws on the books 
were enacted to respond to a particular public health threat or a 
public health concern. Again, the number one barrier to people re- 
ceiving genetic testing is they are afraid of how that information 
will be used by somebody else, in employment, in insurance, so the 
States are moving forward to protect, to enact protections, to en- 
courage people to get these critical tests that can help improve 
their care, so they have been able to respond to these concerns. We 
need to be mindful of the regulatory powers of the State and the 
details of the State law. So I just suggest some caution. The State 
report, by its title suggests there is an uneven terrain in the 
States, but I don’t want to suggest it is an unimportant terrain. 
The States have done a lot of good in this area. 

In conclusion, we should ensure that a Federal law does not 
weaken or erode the critical protections that already exist at the 
State level. Consumers have come to rely on those State laws for 
whatever protections do exist in the absence of a Federal law. If 
we do, we will jeopardize their health care and we might under- 
mine their trust in public health and research. We should do our 
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best to make that floor as high a level of baseline protections as 
possible. 

Thank you very much. 

[The prepared statement follows:] 

Statement of Janlori Goldman, Director, Health Privacy Project, Institute 
for Health Care Research and Policy, Georgetown University 

Chairman Thomas and Members of the Subcommittee: 

Thank you for the opportunity to testify before you today on the issue of health 
privacy. 1 am Janlori Goldman, Director of the Health Privacy Project at George- 
town University’s Institute for Health Care Research and Policy. In the past week, 
the Project has issued two reports on health privacy, which we hope will make a 
significant contribution to the ongoing policy initiatives. We include as our testi- 
mony today the top findings and executive summaries of these reports. The full text 
of both reports is available on our website at www.healthprivacy.org. 

Your continued attention to health privacy is greatly appreciated, and we look for- 
ward to working with you, as you, and the rest of the Congress, move forward to 
meet the August deadline for enacting comprehensive health privacy legislation. 

Best Principles for Health Privacy 


Executive Summary 

Privacy and confidentiality have long been recognized as essential elements of the 
doctor-patient relationship. Also essential to optimal care is the compilation of a 
complete medical record. But that same record is used for a wide variety of pur- 
poses — including insurance functions, coordination of care, and research. The long- 
standing friction between these two goals — patient privacy and access to information 
for legitimate purposes — has been heightened by the transition to electronic health 
information and a push toward integrated information in support of integrated 
health care delivery and health data networks. While these developments are in- 
tended to improve health care, they also raise many questions about the role of pri- 
vacy in the health care environment. 

Recent polls demonstrate that the public has significant concern about the lack 
of privacy protection for their medical records and that it can impact how they en- 
gage with health care providers. In order to protect their privacy, some patients lie 
or withhold information from their providers; pay out-of-pocket for care; see multiple 
providers to avoid the creation of a consolidated record; or sometimes avoid care al- 
together. Such “privacy-protective” behavior can compromise both individual care 
and public health initiatives. 

The public has some reason to be concerned. Today, there is little consistency in 
approaches to patient confidentiality and no national standards or policies on pa- 
tient confidentiality. The 1996 Health Insurance Portability and Accountability Act 
provides that if Congress fails to enact comprehensive health privacy legislation by 
August 1999, the Secretary of Health and Human Services must issue regulations. 
Therefore, either through legislation, government regulation, or self-regulation, 
there will be significant developments with regard to health privacy in the next two 
years. 

What has been missing from the debate is a consensus document that offers policy 
recommendations regarding how best to protect patient confidentiality. To fill this 
void, the Health Privacy Project, with funding from the Robert Wood Johnson Foun- 
dation, created the Health Privacy Working Group in June 1998. Its mission was 
to achieve common ground on “best principles” for health privacy, while identifying 
a range of options for putting those principles into practice. The Working Group is 
comprised of diverse stakeholders, including: disability and mental health advocates; 
health plans; providers; employers; standards and accreditation representatives; and 
experts in public health, medical ethics, information systems, and health policy. 

The Working Group spent the past year crafting a consensus document that re- 
flects “best principles” for health privacy. This report outlines the 11 principles to 
which the Working Group agreed and details the rationale behind the recommenda- 
tions. 

The principles represent significant compromises between Working Group mem- 
bers and should be seen as a framework that aims to accommodate the various in- 
formation needs of diverse interest groups. The principles are designed to establish 
a baseline of protections that should be considered when implementing comprehen- 
sive patient privacy policies and practices. 
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The Working Group adopted the following 11 principles. Because these principles 
are intended to establish a comprehensive framework, they should be read and im- 
plemented as a whole. 

1. For all uses and disclosures of health information, health care organizations 
should remove personal identifiers to the fullest extent possible, consistent with main- 
taining the usefulness of the information. 

Generally, the use and disclosure of information that does not identify individuals 
does not compromise patient confidentiality. As such, the use and disclosure of non- 
identifiable health information should “fall outside” the scope of policies that govern 
personally-identifiable health information. Health care organizations will need to 
take into consideration the practicality and cost of using and disclosing non-identifi- 
able information. Ultimately, through the creation and use of non-identifiable health 
information, more people can have more information, without compromising patient 
confidentiality. 

2. Privacy protections should follow the data. 

All recipients of health information should be bound by all the protections and 
limitations attached to the data at the initial point of collection. Recipients of health 
information can use or disclose personally-identifiable health information only with- 
in the limits of existing authorizations. Any further uses or disclosures require spe- 
cific, voluntary patient authorization. 

3. An individual should have the right to access his or her own health information 
and the right to supplement such information. 

All patients should be allowed to copy their records and to supplement them if 
necessary. But supplementation should not be implied to mean “deletion” or “alter- 
ation” of the medical record. Furthermore, data holders may charge a reasonable fee 
for cop3dng the records, but they cannot refuse inspection of the records simply be- 
cause they are owed money by the individual requesting inspection. 

In certain cases, patients may be denied access to their medical records. Such in- 
stances include if the disclosure could endanger the life or physical safety of an indi- 
vidual; if the information identifies a confidential source; if the information was 
compiled in connection with a fraud or criminal investigation that is not yet com- 
plete; or if the information was collected as part of a clinical trial that is not yet 
complete and the patient was notified in advance about his or her rights to access 
information. 

4. Individuals should be given notice about the use and disclosure of their health in- 
formation and their rights with regard to that information. 

The notice should tell the patient how information will be collected and compiled, 
how the collecting organization will use or disclose the information, what informa- 
tion the patient can inspect and copy, steps the patient can take to limit access, and 
any consequences the patient may face by refusing to authorize disclosure of infor- 
mation. 

5. Health care organizations should implement security safeguards for the storage, 
use, and disclosure of health information. 

Security safeguards consistent with the Secretary’s standards, whether techno- 
logical or administrative, should be developed to protect health information from un- 
authorized use or disclosure and should be appropriate for use with electronic and 
paper records. Any safeguards should recognize the trade-off between availability 
and confidentiality and should be tailored to meet needs as organizations adopt 
more sophisticated technologies. 

6. Personally identifiable health information should not be disclosed without patient 
authorization, except in limited circumstances. Health care organizations should pro- 
vide patients with certain choices about the use and disclosure of their health infor- 
mation. 

Patient authorization should be obtained prior to disclosure of any health informa- 
tion. But, at the same time, some patient information needs to be shared for treat- 
ment, payment, and core business functions. With this in mind, the Working Group 
recommends a two-tiered approach to patient authorization. 

The authorization structure allows for a health care organization to obtain a sin- 
gle, one-time authorization for core activities that are considered necessary or rou- 
tine. These activities — identified as Tier One — are directly tied to treatment, pay- 
ment and necessary business functions in keeping with medical ethics. The health 
care organization may condition the delivery of care, or payment for care upon re- 
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ceiving authorization for these activities, which can be obtained at the point of en- 
rollment or at the time of treatment. 

Any activities that fall outside this core group (sometimes commonly referred to 
as uses) must be authorized separately by the patient and fall under Tier Two au- 
thorization. The patient can refuse authorization for these activities without facing 
any adverse consequences. Activities in this category include, but are not limited to: 

• purposes of marketing; 

• disclosure of psychotherapy notes; 

• disclosure of personally identifiable information to an employer, except where 
necessary to provide or pay for care; 

• disclosure of personally identifiable health information outside the health care 
treatment entity that collected the information, if other tier one authorizations do 
not apply; and 

• disclosure of personally identifiable health information, if adequate notice has 
not been given at the point of the initial authorization. 

The Working Group identified a limited number of circumstances in which person- 
ally-identifiable health information may be disclosed without patient authorization. 
These include: 

• when information is required by law, such as for public health reporting; 

• for oversight purposes, such as in fraud and abuse investigations; 

• when compelled by a court order or warrant; and 

• for research, as described in Principle 8 below. 

7. Health care organizations should establish policies and review procedures regard- 
ing the collection, use, and disclosure of health information. 

An organization’s confidentiality policies and procedures should be coherent, t 3 dng 
together authorization requirements, notice given to patients, safeguards, and proce- 
dures for accessing personally identifiable health information. Organizations should 
also establish review processes that ensure a degree of accountability for decisions 
about the use and disclosure of personally identifiable health information. During 
such a process organizations might, for example, wish to determine routine proce- 
dures and special procedures for some areas of health care where medical informa- 
tion is considered highly sensitive to the patient. 

8. Health care organizations should use an objective and balanced process to review 
the use and disclosure of personally identifiable health information for research. 

For some areas of research, it is not always practical to obtain informed consent 
and in some cases, a consent requirement could bias results. Recognizing this, the 
Working Group advises that patient authorization should not always be required for 
research. However, any waivers of informed consent should only be granted through 
an objective and balanced process. 

Currently, any federally funded research is subject to the “Common Rule,” where 
an Institutional Review Board (IRB) is required to make a determination about the 
need for informed consent. An IRB can choose to give a researcher access to person- 
ally identifiable health information with or without informed consent. But some re- 
search falls outside the scope of federal regulations. In such circumstances, health 
care organizations should use a balanced and objective process before granting re- 
searchers access to personally-identifiable health information. 

9. Health care organizations should not disclose personally identifiable health infor- 
mation to law enforcement officials, absent a compulsory legal process, such as a 
warrant or court order. 

Federal privacy laws generally require that some form of compulsory legal proc- 
ess, based on a standard of proof, be presented in order to disclose to law enforce- 
ment officers. Law enforcement access to health information should be held to simi- 
lar standards. In some instances, however, government officials may access health 
information with legal process for the purposes of health care oversight. In these 
instances, the information obtained should not be used against the individual in an 
action unrelated to the oversight or enforcement of law nor should the information 
be re-disclosed, including to another law enforcement agency, except in conformance 
with the privacy protections that have attached to the data. 

10. Health privacy protections should be implemented in such a way as to enhance 
existing laws prohibiting discrimination. 

Currently, there are state and federal laws that prohibit discrimination on the 
basis of a person’s health status in areas such as employment or insurance under- 
writing. Confidentiality policies should be implemented in such a way as to enhance 
and complement these protections. In effect, privacy can serve as the first line of 
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defense against discrimination, creating a more comprehensive framework of protec- 
tion. 

11. Strong and effective remedies for violations of privacy protections should be es- 
tablished. 

Remedies should be available for internal and external violations of confiden- 
tiality. Health care organizations should also establish appropriate employee train- 
ing, sanctions, and disciplinary measures for employees and contractors who violate 
confidentiality policies. 

The 11 principles outlined above focus on information gathered in the context of 
providing patient care and are written to establish a broad framework for the use 
and disclosure of health information. Although the Working Group recognizes that 
the need for privacy protections in other areas is no less urgent, this consensus doc- 
ument does not address the following areas: 

• special considerations about the needs of minors; 

• information that locates an individual in a particular health care organization 
(sometimes referred to as “directory information”); 

• information provided to spouses, dependents and other next of kin; 

• public health reporting; 

• fraud and abuse investigations; and 

• the appropriate relationship between state and federal law. 

These 11 principles are designed to serve as a baseline for establishing patient 
privacy protections. While we all agree that health information, used in the right 
hands and with the right safeguards, can lead to improved health and advances in 
research, this information should not be used with disregard for patient privacy. Pa- 
tients need to know that adequate protections are in place to protect their health 
information. Our hope is that these principles will go a long way towards estab- 
lishing appropriate protections and, in the process, help build public trust and con- 
fidence in our health care system. 

The State of Health Privacy: An Uneven Terrain 


Preface 

Eighteen months ago, the Health Privacy Project launched an initiative to compile 
and publish a comprehensive survey of state health privacy statutes. As word 
spread that we had undertaken this effort, we heard two distinct messages, often 
delivered by the same people in the same breath: First, “Nothing like this exists.” 
Second, “Are you crazy? Do you have any idea what you are getting into?” Over the 
past year and a half, we have come to appreciate both the importance of this effort, 
and the near impossibility of the task. 

At the outset, it is important to say what this report is, and what it is not. The 
State of Health Privacy includes a summary of each state’s major statutes related 
to the confidentiality of personal health information. The survey is specifically and 
exclusively a survey of statutes, not laws. This distinction is important: we did not 
research or include regulations, or common law, both of which ultimately must be 
understood in order to appreciate the full range of protections at the state level. 

The survey is not exhaustive — there are many more statutes that address the con- 
fidentiality of health information. The summaries speak most directly to the use and 
disclosure of information gathered and shared in the context of providing and pay- 
ing for health care. In particular, the condition-specific requirements are meant to 
be illustrative; we did not do an exhaustive search for mandatory reporting require- 
ments or specific conditions. 

Throughout, keep in mind that medical information is used in many different set- 
tings, and for many different reasons. There are innumerable state laws that speak 
to the confidentiality of health information — such as laws on workers compensation, 
public health reporting, adoption records, birth and death records, motor vehicle re- 
quirements, minor’s rights, and so on — that are not generally addressed in our sum- 
maries. For this reason, we have given four states — Florida, Maryland, New York, 
and Washington — a more exhaustive treatment that highlights the breadth and the 
depth of the state laws that relate to the confidentiality of health records. 

To satisfy diligent scholars and the excessively curious, we augment the sum- 
maries with a comprehensive list of each health privacy-related law we discovered 
in the state. (Given the length of these lists, they are only available in the online 
edition at the Health Privacy Project’s website: http://www.healthprivacy.org/re- 
sources.) We have also provided a number of overview documents that attempt to 
pull together the findings and provide a snapshot of how the states compare to each 
other. 
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This report is not perfect. We may have missed some laws. Laws may have been 
repealed or re-interpreted by the courts. Laws may take on a different meaning in 
their application than they do in the plain reading. States may have issued regula- 
tions implementing their laws that amplify, diminish, or otherwise affect the law’s 
impact. However, we determined that you-the reader-would benefit from the timely 
publication of this report, and would not be offended by our asking your indulgence 
for what we did not have the time or the resources to accomplish. In fact, we ask 
your assistance — if you discover a major statute we have overlooked, or if you find 
we mis-characterize a law, or if there is anything else you would like to contribute 
to enhance the accuracy and completeness of The State of Health Privacy, contact 
us. Your input is appreciated. 

Finally, and most importantly, this survey is part of a larger body of work under- 
taken by the Health Privacy Project. Throughout, we have tried to maintain a sense 
the ultimate goal: to protect the privacy of people’s health information. 

In the health care arena, maintaining the confidentiality of medical information 
and communications has been an essential element of the relationship between doc- 
tors and their patients. Increasingly, however, major changes in health care — such 
as the rise of managed care, the development of electronic health information net- 
works, and reform efforts to improve individual and community health — all depend 
on accumulation of and access to complete and reliable patient data. 

Protecting privacy and improving health and access to health care are values that 
have long been viewed as in conflict. Consumer advocates often view public health 
and research initiatives as threats to individual privacy, whereas public health offi- 
cials and researchers may treat privacy as a barrier to improving health. In fact, 
the converse is true — protecting privacy and promoting health are values that must 
go hand-in-hand. 

Without trust that the personal, sensitive information that they share with their 
doctors will be handled with some degree of confidentiality, patients will not fully 
participate in their own health care. 

The consequences of people not fully participating in their own care are quite 
troubling, for individual patients as well as the larger community. For instance, in- 
complete or inaccurate information can hamper a doctor’s ability to accurately diag- 
nose and treat a patient, inadvertently placing a person at risk for undetected and 
untreated conditions. In turn, if doctors are receiving incomplete, inaccurate infor- 
mation, the data they disclose for payment, research, public health reporting, and 
outcome analysis will be unreliable. Ultimately, information that lacks integrity at 
the front end will lack integrity as it moves through the health care system. Thus, 
protecting patient privacy is integral both to improving individual care and to the 
success of public health initiatives and quality of care. 

There is no doubt that the public is deeply concerned about the lack of privacy 
in the health care environment. A survey released by the California Health Care 
Foundation in January 1999 found that “public distrust of private and government 
health insurers to keep personal information confidential is pervasive. No more than 
about a third of U.S. adults say they trust health plans (35%) and government pro- 
grams like Medicare (33%) to maintain confidentiality all or most of the time.” The 
consequences of such distrust — real or perceived — are significant. The Foundation’s 
survey identified that: 

• One in every five people believe their health information has been used or dis- 
closed inappropriately. 

• One of six people engage in some form of “privacy-protective” behavior when 
they seek, receive, or pay for health care in this country. Such behavior includes 
paying out of pocket for care; intentionally seeing multiple providers to avoid the 
creation of a consolidated record; giving inaccurate or incomplete information on a 
medical history; asking a doctor to not write down the health problem or record a 
less serious or embarrassing condition; and even not seeking care to avoid disclosure 
to an employer. 

Currently, there is no comprehensive federal law protecting the privacy of people’s 
medical records. Congress has acknowledged that such a law should be passed and 
imposed a deadline on itself to do so by August 1999. If Congress fails to meet the 
deadline, the Secretary of Health and Human Services is required to issue regula- 
tions by February 2000. 

Health privacy is not a new issue to the U.S. Congress. Each year over the past 
decade as debate has resumed over how to best craft a health privacy law, the ques- 
tion is inevitably raised, “What have the states done? What are the state health pri- 
vacy laws? What will be the impact on the states of any federal preemption of state 
law? What negative and positive models exist for us to learn from?” For the most 
part, these questions have gone unanswered. Until now, no comprehensive compila- 
tion of state health privacy existed. 
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Bear in mind as you read this report that, in the absence of a comprehensive fed- 
eral health privacy law, the limited privacy protections people currently enjoy have 
been put in place by state legislatures. The terrain of state health privacy law may 
be uneven, but that shaky ground plays a significant role. 

Executive Summary 

There is no comprehensive federal law that protects the privacy of people’s health 
information. The U.S. Congress is moving ahead to meet a self-imposed deadline to 
enact a broad health privacy statue by August 1999. If the deadline is not met, the 
Secretary of Health and Human Services must issue regulations by February 2000. 
At this time, people must rely on whatever health privacy protections are built into 
their state’s statutes. 

As the congressional debate over health privacy heats up, there is a question that 
is always asked but — until now — impossible to answer. “What state laws exist in 
this area? How have states responded to the health privacy needs of their citizens? ” 

This report is the first-ever comprehensive 50-state survey of health privacy stat- 
utes. In our experience, the hallmarks of researching state health privacy laws have 
been that: 1) nothing is simple; and 2) nothing is predictable. In the process of re- 
searching, analyzing, and summarizing the statutes, we reached a number of conclu- 
sions and made a few surprising discoveries. But in many more ways, the states 
defy categorization. 

State laws relating to health privacy have been enacted at different points in 
time, over many years, to address a wide variety of uses and public health concerns. 
One must approach each state on its own terms and attempt to understand the pro- 
tections as a unique whole within the state. In striving for precision and nuance, 
our labels of state laws are accompanied by qualifiers and explanations. 

Laws relating to health privacy can be found in nearly every nook and cranny of 
a state’s statutes — in obvious and obscure sections of a state’s code, buried in regu- 
lations, developed in case law, and detailed in licensing rules. Florida, for example, 
has more than 60 statutes that address health privacy, and it is not unique. 

A number of initial observations emerge from the state summaries: 

• States legislate and regulate health privacy by entity. 

There is little mystery about why state health privacy laws are so extensive, vast, 
and detailed: the statutes reflect the diverse users of health information. Consider 
the following four types of users: physicians, schools, insurers, and state agencies. 
Each has a specific function in the state and a legal and regulatory structure spe- 
cific to their roles. Thus, the statutory requirements for how they handle medical 
information are different. 

To understand what confidentiality protections do exist at the state level, one 
must first begin by examining the laws applying to the different entities that collect, 
use, maintain, and distribute health information. Even states that attempt to han- 
dle health privacy in a comprehensive fashion ultimately establish unique rules for 
different entities. In looking at a state’s laws and determining what kind of privacy 
protections exist, one must always ask, “Who’s holding the data?” and “What is the 
medical condition at issue?” 

The end result of this legislating by entity is that state laws — with a few notable 
exceptions — do not extend comprehensive protections to people’s medical records. 
Thus, a state statute may impose privacy rules on hospitals but not dentists. The 
state may restrict the use and disclosure of information derived from a genetic test 
but not information obtained in a routine physical. Or just the opposite may be true 
in a neighboring state. 

The cumulative effect of these various statutes might appear erratic, but so many 
of the laws that do exist provide meaningful protections for consumers and speak 
to the specific needs of the organizations and citizens of the state. For instance, a 
nursing home may have different information needs than a public hospital, and 
state laws attempt to accommodate these differences. 

• The vast majority of state statutes were never intended to be comprehensive. 

Virtually every state has some law aimed at the confidentiality of patient, but 

very few states have anything approaching a comprehensive health privacy law. 
Two notable exceptions are Rhode Island and Wisconsin, each of which has com- 
prehensive health privacy laws. Many states have health privacy laws governing 
certain health care entities, such as hospitals or clinics, but no privacy protections 
regulating health plans and HMDs. 

State confidentiality requirements are part and parcel of larger statutes that pro- 
vide consumer protections or regulate persons or entities. Many of the statutes, for 
example, are imbedded within licensing requirements. In this context, the provider 
is required to maintain health information in confidence in order to obtain and 
maintain a license to practice from the state. One must read all of the statutes to- 
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gether in order to glean an understanding of how health information is protected 
as it moves between persons and entities. 

• An ethical duty to maintain confidentiality is often assumed. 

Most states appear to presume an ethical duty on the part of health care pro- 
viders to keep information confidential. Many statutes, for instance, do not explicitly 
impose a duty of confidentiality, but they do stipulate a penalty for breaching pa- 
tient confidentiality. It seems that in these instances, the states did not see a need 
to legislate the ethical duty. Unfortunately, the users of health information have ex- 
tended well beyond those who may be bound by a professional codes of ethics. 

• State laws have not kept pace with changes in health care delivery and tech- 
nology. 

Most state laws do not reflect the dramatic changes in the health care environ- 
ment or the dramatic changes in information technology. Today, for instance, the 
majority of health care is not delivered by physicians. Integrated delivery systems 
(such as HMDs and provider networks) and the establishment of statewide health 
information databases have created new demands for data that push well beyond 
the limits originally anticipated by the states. The variety of people and entities col- 
lecting, receiving and using health information has also extended far beyond the 
health care environment. A physician, for example, may be obligated to report a per- 
son with epilepsy to the Department of Motor Vehicles, which in turn may revoke 
a driver’s license. 

Therefore, in many ways, the state laws defy summarization — they are detailed, 
specific, and intricate. Nevertheless, we have attempted to bring some coherence to 
this report. The summaries are arranged in four broad categories: Patient Right of 
Access, Restrictions on Disclosure, Privilege and Condition-specific Requirements. 
Our major findings in each category are listed below. 

Key Findings 

Patient Access 

States vary widely in the rights they grant to patients to receive and copy their 
own medical records. Some states have no statutory right of access such as Kansas 
and North Dakota. Three states — ^Alabama, Idaho, and New Mexico — and the Dis- 
trict of Columbia only have a statutory right for patients to access their own mental 
health records. 

On the opposite end of the continuum, a few states — such as Connecticut and 
Minnesota — grant access to records maintained by nearly all of the potential sources 
of patient data, i.e. government agencies and entities, hospitals, physicians, insur- 
ers, schools, and even non-traditional health care providers such as natureopaths. 
Maine and South Dakota, for example, have cast a particularly wide net with re- 
spect to providing access to records maintained by health care providers by using 
broad definitions that anticipate future users and holders of medical information, 
such as those performing in vitro fertilization and blood banks. 

Most states fall somewhere in the middle of these two extremes. Forty-four states 
provide some right of access, but this figure is a bit misleading. The right of access 
quickly breaks down: 

• 33 states provide a right of access to hospital records; 

• 13 states provide a right of access to HMO records; and 

• 16 states provide a right of access to insurance records. 

Many additional statutes cover specific providers — such as physicians, psychia- 
trists, and pharmacists. However limited the right, the impact of providing the right 
should not be underestimated. For example, in response to the public’s desire to uti- 
lize alternative sources for contact lenses, Colorado and other states require optom- 
etrists to disclose prescriptions to their patients. 

All state statutes that grant people a right to see and copy their own medical 
records limit that right with a set of exceptions. The most common exception is that 
a patient can be refused access to his or her own medical record if the record holder 
believes that the release of the information could endanger the life and safety of the 
subject of the information or another person. 

Many states have also granted patients the right to amend or correct their med- 
ical information, particularly when the records are held by insurance companies. In 
Illinois, New Jersey and Ohio, for example, the statute includes a detailed procedure 
for resolving a patient’s challenge to the accuracy or completeness of the record. 
Where the provider and the patient disagree, for example, the patient may be able 
to insert a statement of his or her position in the record. 

Most states allow a person or entity to charge patients for copies of their medical 
record. Some states specify a cost in the statute — in Kentucky, for example, a health 
care provider or hospital must provide a patient with a free copy of their medical 
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record. A patient may be charged for additional copies, but not more than $1 per 
page. Other states require that the fee be waived if the patient is contesting an ad- 
verse underwriting decision. The most common approach is to stipulate that an enti- 
ty may charge a “reasonable” fee. 

Restrictions on Disclosure 

States vary widely in terms of the restrictions or prohibitions they impose on dis- 
closures of medical records and medical information. The restrictions tend to be trig- 
gered in two instances: by the entity holding the data, and the kind of information 
being held. 

For the most part, the state statutes prohibit a person or entity from disclosing 
information unless certain conditions are met. The most notable impact of this ap- 
proach is that it may limit the actual protections afforded the data. Once the infor- 
mation is disclosed, it may or may not be afforded the same protections by the re- 
ceiving entity. For instance, the state laws may not place limits on the re-disclosure 
patient data, or the receiving entity may not be under any legal obligation to adhere 
the privacy rules imposed on the disclosing entity. 

In comparison, a few states — such as Wisconsin and Rhode Island — have statutes 
that prohibit medical information from being disclosed, regardless of the entity hold- 
ing the record. 

Overall, the most common restriction found in state statute is that patient author- 
ization must be secured prior to health information being disclosed. Some states 
specify the format and content of the authorization form in statute. Many states 
allow patients to revoke authorizations. 

At the same time, these statutes all specify numerous exceptions to this general 
rule in which a person or entity may disclose information without patient authoriza- 
tion. The most common instances include: for purposes of treatment; to secure pay- 
ment for healthcare; for auditing; and for quality assurance activities. Most statutes 
allow access to patient data for research purposes, without any patient notification 
or authorization. (See later discussion on research.) 

Also of note is that some states do prohibit the re-disclosure of medical informa- 
tion. In such instances, an entity that receives medical information is prohibited 
from re-disclosing the information unless a separate authorization is secured, or the 
disclosure is in keeping with the statutory requirements. Montana has stated that 
although it is state public policy that a patient’s interest in the proper use of health 
care information survives, the state is not going to statutorily regulate disclosures 
because a person’ expectation of privacy changes when the information is held by 
a non-health care provider. 

Privileges 

A common myth is that the doctor-patient privilege prohibits health care pro- 
viders from sharing information about their patients. The truth is the law of privi- 
lege is a rule of evidence and quite limited in scope. Privilege applies to a patient’s 
(or provider’s) right to keep certain communications confidential in a legal pro- 
ceeding. 

We have included a survey of states’ statutory privileges for two reasons: 1) to 
date, all of the proposed federal health privacy legislation leaves state privilege law 
intact; and 2) many states’ statutes governing the confidentiality of health care in- 
formation maintained by HMOs provide that an HMO is entitled to claim any statu- 
tory privilege against disclosure that the provider of the information is entitled to 
claim. Thus, in order to understand what privilege an HMO might be able to exer- 
cise, it is necessary to know what statutory privileges exist. 

A common misconception about the physician-patient privilege is that it is a gen- 
eral prohibition against a health care provider sharing information about his or her 
patients. However, it is important to recognize that in legal terms, there is a distinc- 
tion between “privilege” and “confidential.” The law of privilege is generally seen as 
a rule of evidence which is limited in scope. It allows a patient in a legal or quasi 
legal proceeding to refuse to disclose and to prevent others from disclosing certain 
confidential information (usually communications) obtained during the course of di- 
agnosis and treatment. In contrast, a health care provider’s duty of confidentiality 
to her patients, arising from a code of ethics, by regulation, or otherwise, is a broad- 
er duty not to disclose to the public information obtained in a professional capacity. 

That being said, it must be noted that even legal professionals often use the terms 
interchangeably. We have attempted to note where a state has worded its statutory 
privilege in such a way as to extend it beyond a legal or quasi legal proceeding. 

It must be emphasized that this is a summary of statutory rules of privilege. 
Many more providers and entities may be covered by a state’s common law privi- 
lege. The summaries do not include a discussion of when privilege may be waived. 
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State law is detailed and voluminous on this subject, and we chose simply to indi- 
cate to whom the statutory privilege applies. 

Condition-specific Requirements 

Nearly all states have laws that impose condition-specific privacy requirements, 
most often to shield people with mental illness, communicable diseases, cancer, and 
other sensitive, stigmatized illnesses from broad disclosures. Many of these laws 
were passed to respond to public fear that certain health information would be wide- 
ly disclosed and used to deny them benefits or could result in other harm. Where 
this fear acted as a barrier to seeking health care, treatment, or counseling, states 
have moved to bolster public trust and confidence in the health care system by en- 
acting heightened privacy rules in these specific areas. The protections tend to at- 
tach to the information at the point of collection, before the information is disclosed. 
These requirements may, for example, direct a provider, hospital, or laboratory to 
obtain a particular kind of authorization from the patient or more stringently re- 
strict disclosure. 

In some circumstances, the condition-specific requirements allow for greater dis- 
closure of the information. Some mental health statutes, for example, explicitly 
allow family members to access the mental health records of a family member who 
has been committed. Other statutes allow employers to share medical information 
about an employee if it affects the performance of her job. 

Most of the condition-specific requirements that exist at the state level, however, 
were enacted hand-in-hand with mandatory reporting laws. While the summaries 
note the protections afforded the data, it is important not to lose sight of the fact 
that these privacy laws were enacted on the backend of laws requiring doctors and 
other health care providers to report to state officials identifiable patient data re- 
lated to certain illnesses and conditions. Clearly, state lawmakers viewed such pri- 
vacy protections as a necessary balm to quiet public fears of the government devel- 
oping health information databases on vulnerable citizens. Our inclusion of the pub- 
lic health reporting requirements and related privacy protections are not com- 
prehensive, but we point out that many states’ reporting requirements are aimed 
beyond communicable or infectious diseases. Many states collect health information 
to study costs, outcomes, and quality — all of which rely on extensive patient data. 
In turn, there is a great demand — often answered in the affirmative — for access to 
this data. 

All states have laws designed to control the spread of contagious diseases, which 
include requirements that named individuals with particular illnesses or conditions 
be reported to health authorities. Again, in the vast majority of these condition-spe- 
cific requirements, the privacy protections are linked to the mandatory reporting re- 
quirements. In such instances, the confidentiality requirements and protections only 
apply to the agency collecting the data. Many states, for example, require providers 
to report birth defects to the state’s registry. The statute then limits how the reg- 
istry can use and disclose the information. These protections, however, do not apply 
to any other entity holding the same information — such as a provider, hospital or 
insurance company. 

Remedies and Penalties 

Most state health privacy statutes contain some form of remedies and penalties 
that are triggered by violations of the law. Commonly found are private right of ac- 
tion provisions granting people the ability to bring lawsuits when the statute has 
been violated, without first having to meet any additional standard of proof, i.e. that 
the violation was willful or intentional. It is enough that the law was violated. A 
full range of damages, remedies, and attorney’s fees and costs are usually available, 
however the monetary damages are often set quite low. In some cases, these statu- 
tory remedies may be construed as exclusive, thereby barring people from raising 
other claims, such as privacy torts or other common law claims. 

Government-maintained Records 

Across the board, records held by government agencies and officials are treated 
differently — and are usually more protected — than the medical information collected 
and held by the private sector. In some instances, the medical records held by the 
government are the only records protected in statute. In effect, a state statute may 
impose confidentiality requirements only on public hospitals, leaving people who are 
treated in private hospitals without the same legal safeguards. In Oregon, for exam- 
ple, the statutory probihitions on disclosure, including authorizations, apply only to 
public providers of health care. Private health care providers are simply “encour- 
aged, but not required to adopt voluntary guidelines limiting the disclosure of med- 
ical records...” 
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Although this legal distinction — between public and private holders of medical in- 
formation — is rooted in the constitutional principle that there must be limits on gov- 
ernment action vis-a-vis the individual, it may not be particularly meaningful to 
health care consumers. Therefore, privacy protections have been extended in a num- 
ber of federal and state privacy statutes to restrict the private sector’s collection and 
use of personal information. 

Research 

Again, there is little uniformity in how state statutes regulate researcher access 
to people’s medical information. The vast majority of laws, however, do allow re- 
searchers broad access to patient records. As the laws apply to private entities, re- 
searcher access is almost always built in as an exception to a statute’s patient au- 
thorization requirements. What limits do exist usually speak only to specific infor- 
mation — such as genetic information or HIV/AIDS information. 

On the other hand, researcher access to patient data held by government entities, 
i.e., agencies, registries, is in some instances more detailed. Some registries, for ex- 
ample, have strict conditions that must be met before researchers can access data 
and may require that personal identifiers be removed before a researcher can access 
information. Laws applying to government entities are also more likely to prohibit 
researchers from re-disclosing patient data. 

Conclusion 

Again, there is no comprehensive federal law protecting the privacy of people’s 
medical records. Congress has acknowledged that such a law should be passed and 
imposed a deadline on itself to do so by August 1999. If Congress fails to meet the 
deadline, the Secretary of Health and Human Services is required to issue regula- 
tions by February 2000. We hope these reports are useful to you as you move for- 
ward. We are available to work with you. 

The Health Privacy Working Group Members: Dr. Bernard Lo, University of Cali- 
fornia-San Francisco; Paul Clayton, Columbia Pesbyterian Medical Center; Jeff 
Crowley, National Association of People with AIDS; John Glaser, Partners Health 
Care System, Inc.; Nan Hunter, Brooklyn Law School; Shannah Koss, IBM; Chris 
Koyanagi, Bazelon Center for Mental Health Law; John Nielsen, Intermountain 
Healthcare; Linda Shelton, National Committee for Quality Assurance; and Mar- 
garet VanAmringe, Joint Commission on Accreditation of Healthcare Organizations. 

As this report documents, there is little probability that any federal law could 
match the breadth and scope of the existing state laws. As such, any federal law 
that fully preempted state law would eliminate for consumers some of the rights 
and protections they currently enjoy and disrupt current state legal and regulatory 
structures. Here’s why 

• States have been the first to respond to concerns about health privacy and they 
have enacted many strong protections. 

State health privacy statutes cover a broad range of entities and, not surprisingly, 
are both weak and strong. In terms of broad consumer protections, one can identify 
many significant gaps and weaknesses in most state statutes: such as a limited 
right for a patient to access his or her own medical record; little ability for patients 
to limit disclosure of their medical records; and little recourse when the laws are 
violated. 

On the other hand, state laws enacted in response to a particular public concern, 
or a public health threat — such as in the areas of mental illness, communicable dis- 
ease, cancer, and genetic testing — are often strong, detailed, and aimed at the 
states’ unique experiences with their citizens. 

• State laws address a level of detail not considered in any of the federal pro- 
posals. 

The importance of the detail in state health privacy law should not be underesti- 
mated. Because the states legislate by entity, they are often able to craft laws that 
speak to the unique needs of the patient population and the information needs of 
particular entities. An HMO, for example, has very different needs than a family 
planning clinic. 

• State law is extensive — it is impossible to predict the full impact of full federal 
preemption. 

Most importantly, it is almost impossible to predict the full impact of federal pre- 
emption on state laws relating to health privacy. Remember that these summaries 
are only the tip of the iceberg in terms of relevant state statutes. Many more laws 
govern areas such as adoption, workers compensation, public health reporting, civil, 
judicial and administrative procedures, fraud and abuse, and law enforcement ac- 
cess. 
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There is widespread consensus that a federal law could help to provide significant 
new protections and to establish some basic rules about the use and disclosure of 
health information. However, until this point, the policy debate about preemption 
tended to be based on rhetoric, not fact. There is a large body of law before us now. 
While many of the facts are reassuring, it does not lend itself to easy answers. 

A significant challenge is before us. There is no doubt that such a comprehensive 
federal health privacy law could be beneficial in many ways. But while a federal 
law could substantially benefit people by establishing a baseline of consumer protec- 
tions, a federal law that ignored the significant role states have played in protecting 
health information could disrupt the legal and regulatory structures at the state 
level and, in turn, some of the protections currently afforded to consumers. 

Our hope is that this report will serve as the factual basis upon which to proceed, 
providing us with a true opportunity to move beyond the rhetoric that has so far 
defined this debate. 


The Preemption Debate 

At the national level, there is an ongoing debate over how a future federal health 
privacy law should relate to existing and future stronger state laws. Passage of any 
federal law will necessarily preempt weaker state laws. But will Congress choose 
to establish a federal “floor” above which states would be free to enact greater pro- 
tections? Or will the federal law fully preempt state laws by creating a “ceiling,” 
thus eliminating both weaker and stronger state laws and preventing the passage 
of future stronger state laws? 

We must begin with the obvious: there is a large body of state law that will be 
impacted by any federal law. Many of these laws were passed over many years, and 
they cover significant ground. Out of necessity, the states have moved forward in 
recent years to pass health privacy laws to fill a vacuum that might otherwise be 
addressed in a federal law — such as in the areas of genetic testing, prescription 
records, HMO records, and integrated databases. A couple of states — such as Rhode 
Island and Wisconsin — have even passed fairly comprehensive laws. 

Thus far, the preemption debate has played out as follows. Proponents of the full 
preemption of state law argue that a one-size-fits-all national standard is necessary 
to conduct health care activities across state lines. Advocates for a federal floor 
argue that states must be free to enact stronger protections to shield its most vul- 
nerable citizens from stigma and discrimination, and encourage them to seek care 
without fear of reprisals. 

But this debate must be about much more. As our research shows, the states’ 
health privacy protections are deeply integrated into powers traditionally held by 
the states: licensing, public health, and police powers. As such, it would be unwise — 
and, in fact, unprecedented — for the federal law to fully preempt state law. At a 
minimum, the states must be free to enact greater protections for its citizens, to reg- 
ulate health care entities, and to conduct vital public health functions. 

Health Care Organizations Already Comply With 50 State Laws 

Consider the state of affairs today: health care entities that do a great deal of 
business across state lines are currently required to comply with fifty different busi- 
ness across state lines are currently required to comply with fifty different state 
laws. The interplay between state and federal laws is not unique to the health care 
environment. In the context of other complex, interstate activities. Congress has ad- 
dressed the interplay between state and federal laws, such as in the Right to Finan- 
cial Privacy Act, the Fair Credit Reporting Act, and the Electronic Communications 
Privacy Act, which regulate the banking, credit, and communications industries. In 
enacting these laws. Congress left the states free to enact more protective laws as 
they see fit. 

Some preemption supporters have expressed the fear that states will pass laws 
tat are too privacy protective, thereby interfering with important health-related ac- 
tivities. Our research documents that states have been quick to take corrective ac- 
tion to respond to the concerns of health plans, researchers, and others when they 
have ‘gone too far.’ In two instances in which a state health privacy statute was 
deemed to interfere with vital health care functions, states have moved quickly to 
amend their laws. Minnesota, for example, amended its law relating to researcher 
access to medical records after hearing objections from health care organizations in 
the state. More recently, Maine repealed a health privacy law after objections on 
the part of press and family members and later enacted a more limited statute. 

Many states are considering pending health privacy bills in an attempt to fill the 
gap created by the absence of a federal health privacy law. In other contexts, how- 
ever, the momentum behind such state initiatives drops significantly following the 
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passage of comprehensive federal legislation. After passage, state activity is likely 
to reflect the standards set out in the federal law, thereby increasing uniformity. 

One of the more surprising — and potentially unifying — findings of this report is 
the most state laws are weaker than the standards proposed in many of the federal 
now under consideration. Therefore, a federal law may provide a substantial degree 
of uniformity simply by preempting weaker state laws. However, policymakers 
should be cautions not to interfere with the states’ vital and established public 
health and regulatory mechanisms. 

State Laws Address a Level of Detail Not Considered in Any of the Federal Proposals 

State health privacy laws address a level of detail not found in any of the federal 
proposals. For the most part, state health privacy laws are organized by entity, and 
the statutes include requirements and specifications explicitly related to that entity. 
There may be separate statutes governing many different entities: employers, nurs- 
ing homes, health maintenance organizations, health and life insurers, psychiatrists, 
chiropractors, hospitals and insurers. 

In addition, there are numerous policy issues traditionally acted on at the state 
level that include health privacy provisions. There include anti-discrimination laws, 
commitment proceedings for the mentally ill, adoption, foster care, mental health 
treatment, reproductive health, parental involvement, partner notification, and 
abuse and neglect. 

In comparison, federal health privacy proposals have on the whole treated all 
health care organizations the same. The federal proposals would also establish — 
with a broad brush — general rules governing the use and disclosure of health infor- 
mation. These proposed Rules aim to address the vast majority of circumstances in 
which health information is used and disclosed, but they do not begin to approach 
the level of detail that has been imbedded in state law. For instance: 

• In South Carolina a physician is expressly prohibited from selling medical 
records to someone other than a hospital or provider licensed by the state. Before 
a physician may sell medical records, he must publish a public notice of his inten- 
tion to sell the records and of a patient’s right to retrieve their records if they prefer 
that their records not be included in the sale. 

• Maryland has an intricate statutory system for dealing with mental health 
records. The disclosure of mental health records is governed by the state’s Confiden- 
tiality of Medical Records Act. One provision stipulates that mental health records 
may not be disclosed between health care providers unless a patient has received 
a current list of the participating providers and has signed a written agreement to 
participate in the client information system developed by the agency. 

• In Florida, a minor may obtain treatment for sexually transmissible diseases 
without the consent to their parents or guardians. [Fla. Stat. Ann. §384.30.] The 
fact of consultation, examination, and treatment of the minor is coOnfidential, not 
subject to the disclosure requirements of other statutes, and cannot be divulged in 
any direct or indirect manner except as authorized by statute, including sending a 
bill to the parent or guardian. 

The level of detail illustrated above is not even contemplated by any of the cur- 
rent federal proposals, and regulating these specific and unique spheres is clearly 
not the intent of any of the federal proposals. If Congress decides to fully preempt 
state law, it will most likely eliminate significant consumer protections without re- 
placing them with an equivalent degree of federal safeguards. 

States are the First to Respond to Concerns About Privacy and Have Enacted Many 
Strong Protections 

Based on our research, it appears that many state laws governing the broad 
agrees sought to be covered in the federal law — patient access to records, notice of 
information practices, patient authorizations for disclosure, remedies for violations 
of the law — are weaker than many of the federal proposals. Thus, a federal law that 
established a floor could provide uniformity, while raising the overall privacy protec- 
tions for consumers. 

However, it appears that even the strongest federal proposals would not set the 
bar as high as the condition-specific protections in certain state laws. Thus, a pre- 
emptive federal ceiling could cause the citizens of some states to actually forfeit the 
protections they are now guaranteed under their state laws. Again, states have en- 
acted condition-specific protections in two main areas: 1) to provide back-end protec- 
tion to information collected as part of a mandatory reporting requirement; and 2) 
to encourage people to seek care for conditions that are sensitive and for which 
there is a high risk of stigma and discrimination. 

• Almost every state has enacted laws specific to HIV/AIDS. California, for exam- 
ple, has enacted laws, covering testing, reporting, partner notification, and dis- 
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covery. The results of an HIV/AIDS test may not be disclosed in a form that identi- 
fies an individual, without patient consent for each disclosure, except in very limited 
circumstances. For instance, a physician or local health officer may disclose HIV test 
results to the sex or needle-sharing partner of the patient without consent, but only 
after the patient refused or was unable to make the notification. The law also re- 
quires patient authorization in more circumstances than provided for under the Sen- 
ate proposals. In California, an individual’s health care provider may not disclose 
to another provider or health plan without written authorization, unless to a pro- 
vider for the direct purposes of diagnosis, care, or treatment of the individual. 

• Almost half the states now provide specific and strong protection for informa- 
tion derived from genetic information. In Georgia this information is considered to 
be strictly confidential and may be released only to the individual tested and to per- 
sons specifically authorized by such individual to receive the information. Any in- 
surer that possesses information derived from genetic testing may not release the 
information to any third party without the explicit written consent of the individual 
tested. 

• Every state has laws that establish rules particular to mental health informa- 
tion, covering a wide range of activities. In Massachusetts, for example, a psycholo- 
gist needs a patient’s written consent to disclose any confidential communications 
about the patient, including the fact that the patient is undergoing treatment. An 
HMO is prohibited from acquiring or disclosing any communication by a member 
to a psychotherapist arising out of the outpatient diagnosis or treatment of a mental 
or nervous condition without the express and informed written consent of the mem- 
ber. No such written consent may be made a condition of the receipt of such benefits 
or any other benefits for which the member is otherwise covered. 

• Tennessee law stipulates that the state’s Department of Health records on sexu- 
ally transmitted diseases may not be released even under subpoena, court order, or 
other legal process, unless the court makes a specific finding concerning each of five 
criteria including: weighting probative value of the evidence against the individual’s 
and public’s interest in maintaining its confidentiality; and determining that the 
evidence is necessary to avoid substantial injustice to the party seeking it and either 
that the disclosure will not significantly harm the person whose records are at issue 
or that it would be substantially unfair as between the requesting party and the 
patient not to require disclosure. 

Many states have laws similar to the ones cited above. Again, none of the federal 
proposals reach these levels of specific protection. Wiping out such laws could create 
a public health crisis, leaving people vulnerable by undoing protections that encour- 
age people to seek testing, counseling, and treatment for a number of conditions. 

It is Impossible to Predict the Full Impact of Full Federal Preemption. State Law 
is Extensive — a Fully Preemptive Federal Law Runs the Risk of Significant, Unin- 
tended Consequences. 

Even a cursory glance at the state statutes reveals that laws relating to the con- 
fidentiality of medical information are found throughout state codes. Major statutes 
are found in the Civil Code, the Insurance Code, the Health and Safety Code, the 
Penal Code, and the Welfare and Institutions Code. The laws cover a wide range 
of activities including treatment, payment, insurance-related activities, peer review, 
research, and prescribing drugs. Most importantly, states have developed bodies of 
law around discrete issues that touch on the use of health information — such as 
anti-discrimination, worker’s compensation, parental involvement, adoption, HIV/ 
AIDS partner notification, and access by law enforcement, and even real estate. 

It is nearly impossible to predict in advance the full impact of total preemption 
on state law and consumer protections. Some laws, for example, may be tied to larg- 
er anti-discrimination statutes. A fully preemptive federal law may inadvertently 
nullify the entire statute. 

• For instance, A California law that prohibits insurers from discriminating on 
the basis of a person’s “genetic characteristics that may, under some circumstances 
be associated with disability in that person or that person’s offspring.” The law in- 
cludes a provision on authorization requirements for the disclosure of genetic infor- 
mation, which may open up the entire statute to preemption. 

Overall, the states are best equipped to respond to new, unique, and inherently 
local challenges in health care and public health. It is impossible to predict what 
issues will require prompt attention in the future, but a preemptive federal law 
would prevent states from responding at all. 

Conclusion 

State health privacy statutes are both weak and strong. In terms of broad con- 
sumer protections, many gaps and weaknesses can be identified in most state stat- 
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utes — such as a limited right for a patient to access his or her own medical record; 
little ability for patients to limit disclosure of their medical records; and limited re- 
course available to people when the laws are violated. 

On the other hand, state laws enacted in response to a specific and heightened 
public concern, or a public health treat — such as in the areas of mental illness, com- 
municable disease, cancer, and genetic testing — are strong, detailed, and aimed at 
a state’s experience with its own citizens. 

The level of detail in state health privacy law should not be underestimated. Be- 
cause the states le^slate by entity, they are able to craft laws that speak to the 
unique needs of their citizens, both in terms of the patient population, and the infor- 
mation needs of particular entities. An HMO, for example, has very different infor- 
mation needs than a family planning clinic. 

An urgency exists to pass a comprehensive federal law that protects the confiden- 
tiality of medical information, fueled in part by the congressionally-mandated dead- 
line to do so and by escalating public anxiety over the lack of enforceable health 
privacy rules. There is widespread consensus that the federal government must act 
to protect the privacy of people’s records. However, as this report documents, we 
must proceed with extreme caution in determining the appropriate relationship be- 
tween any future federal law and existing and future state laws. 

While a federal health privacy law could significantly benefit consumers by estab- 
lishing a baseline of consumer protections, if not handled properly and with an eye 
to the existing state laws, a federal law could also significantly disrupt the regu- 
latory and legal structure at the state level, thereby weakening or eliminating cru- 
cial consumer protections. 

Bear in mind that these summaries are only the tip of the iceberg of the state 
statutes relating to health privacy. It is impossible to foresee all of the laws that 
would be affected by a preemptive federal law. This report is intended to be the be- 
ginning of a dialogue on preemption that is grounded in fact, not rhetoric and con- 
jecture. 

The challenge before us now is to examine the impact of the passage of any fed- 
eral health law on the privacy rights of various state citizens. We must also rely 
on this compilation of state statutes as we address the federal proposals’ impact on 
state public health and regulatory regimes. The State of Health Privacy takes the 
first step to answering many of these challenges before us by providing the empir- 
ical basis on which to do so. 


Mrs. Johnson of Connecticut. Thank you very much. Mr. Thom- 
as Jenkins, the Assistant General Counsel for Blue Cross Blue 
Shield of Nebraska, on behalf of Blue Cross Blue Shield Associa- 
tion. 

STATEMENT OF TOM JENKINS, ASSISTANT GENERAL COUN- 
SEL, BLUE CROSS AND BLUE SHIELD OF NEBRASKA, ON BE- 
HALF OF THE BLUE CROSS AND BLUE SHIELD ASSOCIATION 

Mr. Jenkins. I am Thomas J. Jenkins, Assistant General Coun- 
sel of Blue Cross and Blue Shield in Nebraska, testifying today on 
behalf of the Association. Thank you for the opportunity to testify. 

Protection of the confidentiality of subscriber data is of para- 
mount importance to us. As part of employee training at Blue 
Cross and Blue Shield in Nebraska, employees must sign a policy 
that stipulates confidentiality breaches may result in termination. 
While we believe that consumers must be assured that their 
records are kept confidential, we believe that Federal legislation 
must balance the need to safeguard medical records with the need 
for health plans to provide health care services efficiently. 

Let me highlight four areas where certain proposals on the table 
now fail to achieve this balance. 

Number one, new authorizations. One of the goals of Federal leg- 
islation is to guard against disclosure of personal data. Of course. 
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health plans must disclose personal data in order to administer 
health benefits. 

Some bills accommodate this through a statutory authorization 
for data disclosure for treatment, payment or health care oper- 
ations. Other legislation requires health plans to obtain new and 
multiple authorizations from all of their subscribers. This requires 
mailing authorization forms to each of our 550,000 subscribers, as 
well as developing new systems to track whether or not those au- 
thorizations have been returned. 

Even after multiple mailings, some subscribers will never re- 
spond. The postage costs alone would be significant, but would pale 
in comparison to the personnel and system costs necessary to ac- 
commodate this authorization process. 

Because of these proposals, we would be forced to cancel the cov- 
erage of subscribers who fail to return these authorizations because 
we could not process their claims without legal access to their per- 
sonal data. We urge Members of Congress to adopt a statutory au- 
thorization as part of confidentiality legislation. 

Number two, static definitions. The statutory authorization 
makes it imperative that the definition of health care operations in- 
clude all the functions we now use to administer benefits, but most 
proposals incorporate a static definition. They do not allow for in- 
novative services to be added. 

This year another Blues plan adopted a new program called 
SARA, Systematic Analysis Review and Assistance. Every day their 
computer evaluates data to identify files that need further review. 
This program has improved the care of subscribers. For instance, 
a 60-year-old male had claims for Viagra as well as for nitrates. 
The combination of these two types of drugs has the potential to 
be fatal. The SARA program worked with his physician to resolve 
this conflict. 

A 1-year-old child had 15 claims for emergency room visits in the 
past 18 months. The parents were referred to an asthma program. 
No further visits to the emergency room were required in the next 
6 months after that. 

If a prescriptive definition for health care operations had been 
legislated in, say, 1995, we could never have developed this pro- 
gram. I urge you, therefore, to assure any definition can accommo- 
date innovation. 

Third, inspection and copying. This problem involves provisions 
that would allow subscribers to inspect, copy and amend all infor- 
mation that is individually identifiable. Most data we obtain are 
administrative in nature. For example, the claims. We believe it is 
important to differentiate between these data which must be pro- 
tected from the data which must be produced. 

Under some proposals, we would have to produce even insignifi- 
cant paper that may have a subscriber’s name or identifying item 
on it, routine claim runs, and so forth. This would require us to re- 
design our computer systems and operations to centralize all data, 
an extremely expensive investment that would increase premiums. 
This absolute approach is not necessary. In my State a recent law 
limits the inspection rights to medical records held by providers. 
We urge Congress to limit inspection rights to actual medical 
records. 
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Fourth and final, the preemption of State law. We have had a 
lot of discussion of that today. We believe any Federal legislation 
should preempt State confidentiality rules. The patchwork of State 
privacy laws are especially difficult when viewed from the patient- 
provider perspective. For instance, if a patient’s insurance is 
through an employer in New York City, but their physician is lo- 
cated in New Jersey and the patient lives in Pennsylvania, whose 
confidentiality laws apply? How does the provider know how to 
comply? 

We urge Congress to provide a full preemption of State confiden- 
tiality laws. 

Thank you again for the opportunity to testify today. 

[The prepared statement follows:] 

Statement of Tom Jenkins, Assistant General Counsel, Blue Cross and Blue 
Shield of Nebraska, on behalf of the Blue Cross and Blue Shield Assoeiation 

Mr. Chairman and Members of the House Ways and Means Subcommittee on 
Health, 1 am Tom Jenkins, Assistant General Counsel of Blue Cross and Blue 
Shield of Nebraska, testifying today on behalf of the Blue Cross and Blue Shield 
Association. BCBSA represents 51 independent Blue Cross and Blue Shield Plans 
throughout the nation that together provide health coverage to 73 million Ameri- 
cans. Thank you for the opportunity to testify on efforts to protect the confiden- 
tiality of medical records. 1 want to especially thank you Chairman Thomas for your 
work and the extensive efforts of your staff regarding confidentiality and other key 
health care issues over the last few years. 

During my testimony, 1 will discuss: 

(I) the importance of confidentiality of medical records; 

(II) general principles for confidentiality legislation; and 

(III) key issues raised by pending confidentiality legislation. These include: 

• requirements for new authorizations from all subscribers; 

• a static definition of health care operations; 

• provisions mandating inspection, copying and amendment of individually identi- 
fiable information by subscribers; and 

• preemption of state law. 

I. The Importance of Confidentiality of Medical Records 

Blue Cross Blue Shield of Nebraska covers 550,000 residents in Nebraska — or 1 
out of 3 people in the state. We offer the choice of products that our customers de- 
mand — health maintenance organizations, preferred provider organizations, point of 
service products, as well as traditional indemnity coverage. 

Protection of the confidentiality of subscriber and patient information is of para- 
mount importance to Blue Cross and Blue Shield Plans. We believe that health 
plans should make every effort to guard this confidentiality and should put into 
place procedures and policies that facilitate this goal. 

Since its inception. Blue Cross Blue Shield of Nebraska has had protections to 
safeguard the privacy of our subscribers. As part of training for all new employees, 
we emphasize the importance of the information with which they are entrusted to 
maintain and safeguard. Dissemination of confidential information is absolutely for- 
bidden. Violation of confidentiality by an employee is grounds for disciplinary action 
or termination. Employees also are educated that it is completely inappropriate to 
share medical information with their fellow workers outside those whose direct func- 
tion necessitates it. 

As a health insurer, we require medical information to pay claims, guard against 
fraud and abuse, and manage health care coverage. Our employees must sign a con- 
fidentiality policy with Blue Cross Blue Shield of Nebraska that includes recognition 
of a disciplinary policy that enforces our code of conduct. 

II. General Principles for Confidentiality Legislation 

While the Blue Cross and Blue Shield Association believes that consumers must 
be assured that their medical records are kept confidential, we believe that federal 
legislation must balance the need to safeguard medical records with the need for 
providers and health plans to provide and cover health care services efficiently. 

Federal legislation should: 
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• Protect consumers: All subscribers and patients should be confident that their 
medical records are kept confidential. 

• Be practical and simple: Federal confidentiality rules must he practical and 
straightforward, so that providers and health plans can adopt and implement them. 
Consumers’ rights must be easily understood. Complex rules will only confuse and 
frustrate consumers, and could hamper implementation throughout the industry. 

• Allow for innovation and flexibility: The delivery and financing of health care 
continues to evolve at an exponential rate as new technologies and therapies are in- 
troduced and as e-commerce revolutionizes the way health care entities conduct 
business. Legislation must assure that health plans and providers can continue to 
evolve and provide innovative benefits to consumers. 

• Have an achievable implementation date: Considering the challenges that 
health plans already face in terms of systems changes and backlogs due to Y2K, it 
is imperative that federal confidentiality legislation have a workable, achievable ef- 
fective date. We urge an effective date of plan years beginning on or after 2 years 
after promulgation of final regulations. 

• Provide for uniformity: Given the complex and interstate nature of the way in- 
formation flows in today’s health care environment, and the increasingly integrated 
nature of our health care delivery system, we believe consistent rules across the 
country are critical to assuring uniform treatment of confidential information. 

• Avoid excessive penalties: Congress should not impose a new private right of 
action allowing individuals to file lawsuits against health plans, providers, employ- 
ers, and others. Unfortunately, it is subscribers who suffer most because premiums 
would ultimately be increased to cover the costs of frivolous lawsuits. Moreover, 
some employers, especially smaller employers, may view the increased liability as 
an unacceptable risk and drop their employer sponsored health coverage altogether. 

III. Key Issues Raised By Pending Confidentiality Legislation 

Many federal proposals addressing the issue of confidentiality fail to incorporate 
all of the above principles. I would like to highlight several of the key issues we 
have identified with pending legislation. 

(a) Requirements For New Authorizations 

One of the general premises of federal confidentiality legislation is to prohibit 
health providers and plans from inappropriately disclosing personal data. Of course, 
health plans must disclose personal data to doctors, hospitals, and others in order 
to administer health insurance benefits. Some legislators have tried to accommodate 
this need by including a “statutory authorization” for the disclosure of data for 
treatment, payment or health care operations. That is, personal data are legally al- 
lowed to be disclosed or used without a separate authorization from the individual 
if it is needed for treatment, payment or health plan operations. We support this 
approach because the statutory authorization serves all parties well — it allows 
health plans to provide the services for which their subscribers are paying pre- 
miums in an efficient manner. 

Unfortunately, other confidentiality legislation requires health plans to obtain 
new and multiple authorizations from all of their subscribers and their families be- 
fore data can be used for treatment, payment, and health care operations. This 
would require us to mail new authorization forms to our 550,000 subscribers as well 
as develop new computer systems to track whether or not authorizations have been 
returned. 

Many subscribers already are inundated with “junk” mail and may inadvertently 
throw these authorization forms away. We may have to mail to our subscribers two, 
three or more times before successfully receiving the new signed authorizations. 
Some may never respond. The initial postage cost alone would be significant but 
would pale in comparison to the personnel and system costs necessary to accommo- 
date the authorization process. Unfortunately, according to various bills, we would 
be forced to cancel the coverage of subscribers who failed to return these authoriza- 
tions because we could not process their claims without legal access to their per- 
sonal data. And this is just on the private side of our business. 

Medicare provides another example of the extraordinary difficulties of complying 
with this rule. Medicare enrolls over 37 million individuals. Over half of the older 
population reports having at least one disability. Over 4.4 million have difficulty 
carrying out activities of daily living such as bathing, dressing, eating and getting 
around the house. And yet, many confidentiality bills would require these individ- 
uals to return a written authorization to Medicare before their benefits could con- 
tinue. If for any reason this authorization was not returned, the payment process 
would have to be suspended while further attempts to obtain the needed authoriza- 
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tion were made. Ultimately, payments to providers would be slowed down, anti- 
fraud and abuse efforts would be impeded, and it could be nearly impossible to 
maintain an efficient system. 

Similar issues are raised in the Medicaid program. The National Association of 
State Medicaid Directors recently reported to the Blue Cross and Blue Shield Asso- 
ciation that the following issues complicate the dissemination of materials to Med- 
icaid recipients: 

• High turnover rates in the Medicaid program; 

• Homelessness and frequent residence-changing; 

• Illiteracy; 

• Nursing home residence; and 

• The fact that heneficiaries often overlook the numerous notices that they receive 
in the mail. 

Whether or not our customers enroll with us through our private business. Medi- 
care contracts, Medicaid, or other government programs (e.g., CHAMPUS, Federal 
Employees Program) — they all share a common expectation: their health data will 
be used to cover their health costs. Requirements for new authorizations would only 
anger customers who already abhor paperwork, increase the cost of their coverage, 
and disrupt the payment of claims. 

We urge Members of Congress to adopt a statutory authorization as part of con- 
fidentiality legislation. 

(b) Static Definition of Health Care Operations 

As I mentioned previously, a “statutory” authorization would allow health plans 
to use patient data for the purpose of health plan operations. This elevates the im- 
portance of the definition of health plan operations, and makes it imperative that 
it encompass the many functions a health plan now uses to assure the quality and 
cost-effectiveness of benefits for subscribers. Our concern is that most legislative ap- 
proaches incorporate a static definition of health care operations — a prescriptive list 
of operations as they currently exist. They do not allow for innovative services to 
be added. This could deprive consumers of important — yet to be developed — services 
in the future. 

For instance, this year another Blue Plan adopted a new program called the Early 
Risk Management Program. So far, it covers about 100,000 of their enrollees. Every 
day, their computer program evaluates data on those enrollees to identify “triggers” 
that indicate a need for further review of that patient’s record. Those triggers may 
be a certain prescription drug or another admission to the hospital. On average, 
about 60 patient records per day are pulled for review. If, based upon this review, 
a problem is suspected, the patient’s physician is contacted. Through this early risk 
management program, they have been able to improve the care of subscribers. For 
instance: 

• A 60 year-old male had claims indicating prescriptions for Viagra as well as ni- 
trates. The combination of these two types of drugs has the potential to be fatal. 
When the treating physician was called, he was unaware that the patient had ob- 
tained a prescription for Viagra. He agreed to contact the patient and no further 
prescriptions for Viagra were filled. 

• A one year-old child had 15 claims for emergency room visits in the past 18 
months as well as office visit claims for asthma. The parents were referred to an 
asthma case management program including outreach and education. No further 
emergency room visits occurred in the next six months. 

• A 49 year-old male had recent claims for abdominal pain with no apparent eti- 
ology. Drug claims also indicated the patient was taking Naproxen. The treating 
physician was contacted and the physician indicated that a prescription for 
Naproxen had been given some time ago. The physician suspected that the patient 
continued taking this drug after the original episode for which it was prescribed had 
ended — likely leading to the abdominal pain. 

New technology has allowed us to provide this quality improvement and poten- 
tially life-saving service to customers. But this type of program was not possible — 
or even contemplated — several years ago. If a prescriptive definition for health care 
operations had been legislated in 1995, we could never have developed this program. 

I want to reemphasize that the delivery and financing of health care continues 
to evolve at an exponential rate as new technologies and therapies are introduced 
and as e-commerce revolutionizes the way health care entities conduct business. We 
are concerned strict definitions of health care operations could limit health plans’ 
roles as they seek to redefine themselves to meet consumer demands of the 21st cen- 
tury. 
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I urge Members of Congress to assure that any legislative definition of health care 
operations be fluid, and easily adjusted over time as innovative programs that ben- 
efit consumers are further developed. 

(c) Inspection, Copying And Amendment Of Individually Identifiable Information By 
Subscribers 

Another example of problematic pending confidentiality legislation involves provi- 
sions that would allow subscribers to inspect, copy and amend all information that 
is individually identifiahle. BCBSA believes that patients should he allowed to in- 
spect and copy their medical records. However, the vast majority of information that 
health plans maintain is administrative in nature (e.g., claims) and does not reflect 
actual patient medical records. We believe it is important to differentiate between 
what information must be protected from what information must he produced. 

The way most proposals are currently written, virtually every piece of information 
in a health plan could he copied and amended. Moreover, how a health plan would 
be required to produce or provide access to data in an intelligible format is a crucial 
question to consider. 

For example, under some legislative proposals, we would have to produce even in- 
significant paper that may have a subscriber’s name or identif3dng feature on it — 
customer service telephone memos, recordings of conversations, internal audit 
memorandum, routine claim runs, etc. We have concerns that producing and pro- 
viding access to all of this data would require health plans to redesign their com- 
puter systems and operations to centralize all Plan data — an extremely expensive 
investment. It is conceivable that we may also have to provide the subscriber access 
to our computer systems. But in order to accomplish this, we may have to provide 
a “translator” to teach the subscriber how to translate the coded information on the 
computer. And of course, we would have to design new systems that would prevent 
the consumer from accessing other subscriber files while reviewing their own. 

All in all, these requirements would pose administrative costs that would be 
passed along to consumers in the form of higher premiums. And all to create abso- 
lute access to information that is unlikely to provide meaningful information to the 
vast majority of subscribers. This absolute approach is not necessary. For instance, 
in my state a recent law limits the inspection and copying rights to medical records 
held by providers. These records are those that provide the basis for our operations, 
and are of the most interest to patients. 

We urge Congress to limit inspection, copying, and amendment rights to actual 
medical records when adopting federal legislation. 

(d) Preemption of State Law 

Finally, we believe any federal confidentiality legislation should preempt state 
confidentiality rules. The intent of the Health Insurance Portability and Account- 
ability Act (HIPAA) administrative simplification provisions was to simplify health 
insurance claims processes, reduce paperwork, and decrease administrative costs 
through wider use of automation and electronic data interchange (EDI). Federal 
standardization of confidentiality rules is essential to the integrity of that informa- 
tion. Lack of federal preemption may lead to the unintended consequence of a de- 
cline in use of EDI since it would be extremely difficult to create a computerized 
system that could assure compliance with conflicting state laws. Eurther, lack of 
federal preemption leads to higher compliance costs, which would ultimately be 
passed onto consumers in the form of higher premiums. 

The patchwork of state privacy laws are particularly difficult when viewed from 
the patient and provider perspective. For instance, if a patient’s insurance is 
through an employer in New York City, but their physician is located in New Jersey 
and the patient lives in Pennsylvania — whose confidentiality laws apply to the con- 
sumer? And how does the provider know how to comply? 

Given the complex and interstate nature of the way information flows in today’s 
health care environment, and the increasingly integrated nature of our health care 
delivery system, we believe consistent rules across the country are critical to assur- 
ing uniform treatment of confidential information. 

We urge Congress to provide a full preemption of state confidentiality laws. 

rv. Conclusion 

The issues raised by confidentiality legislation are complex and fraught with po- 
tential unintended consequences. During my testimony, I have highlighted only a 
few of the difficult issues with this important subject. This Committee — and Con- 
gress — must successfully navigate through a labyrinth of land mines in order to 
enact confidentiality legislation that provides practical, strong protections for con- 
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sumers without disrupting the basic day-to-day services of a health plan and raising 
unnecessary administrative costs. 

On behalf of all Blue Plans, I would like to offer our assistance to you as you con- 
tinue upon this important endeavor. 

Thank you again for the opportunity to testify. 


Mrs. Johnson of Connecticut. Thank you very much. I appre- 
ciate the panel’s input. I very much appreciate examples of how re- 
view of patient records has improved the quality of care. 

Ms. Goldman, you said something that was really very inter- 
esting. First of all, your review of State law would be very helpful 
to us and I thank you for that. 

Ms. Goldman. You are welcome. 

Mrs. Johnson of Connecticut. It is not surprising to me that the 
laws are fragmented and complex. 

Given that fact, if we pass a national comprehensive law, it 
seems to me that we should allow a certain amount of time for 
States to conform to that law. I would not be opposed to States 
then applying for a waiver to have some additional law. But I am 
very concerned about going through all of the difficulty of coming 
to agreement on national standards, which I think is going to be 
very difficult. You can tell from my questioning, I am pretty con- 
flicted about it. I don’t know as much about it as my Chairman. 
It is not an area on which I spent a lot of time, but it is an area 
in which I have a lot of anxiety, and people I represent have a lot 
of anxiety. 

So it is going to be hard to do this. It does seem to me that it 
is an area in which we do need uniformity. So I think everybody 
needs to sort of think about how do we deal with the States on this 
and if we do this right, there shouldn’t be too many areas in which 
there is legitimate need to be different. 

Ms. Goldman. May I give an example of where there might be? 
Some may find that this is oversimplifying, but I want to just try 
to take this massive tome and create a simple conclusion. 

In the broad areas that Congress is seeking to regulate in the 
health privacy area, the right of access, limits on disclosure, law 
enforcement, restrictions on law enforcement access, and those 
broad areas, the State law tends to be weaker than what many of 
the Federal proposals put forth. 

So any Federal law that passes would create a floor. The ques- 
tion is where is that floor? The higher the floor, the higher the bar; 
the more State laws that are weaker will be eliminated and the 
greater the uniformity. In many ways there is an incentive on Con- 
gress if you are looking to develop uniformity to set that bar as 
high as possible because you will create significant uniformity 
given the state of the State laws. 

However, in these, as I pointed out, these condition-specific 
areas, the protections that are on the back end of the cancer reg- 
istries or other disease registries, where there is mandatory report- 
ing requirements, but they are there for research purposes and the 
State has then enacted confidentiality protections to prevent re- 
disclosure, or in the HIV/AIDS area, in a number of States there 
are very specific and detailed limits on the collection and use of 
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communicable disease information, again to encourage people to 
get testing, counseling and treatment. 

The Federal proposals contemplate that level of detail and they 
tend not to be condition-specific. They tend to cover broad entities 
in the health care area and broad information that is identifiable 
health information. 

So I would just suggest a great deal of caution about creating a 
totally preemptive approach at the national level, because there 
will be State laws that I think will be more protective than what 
we are able to come to consensus on here at the national level, be- 
cause there will have to be a great deal of consensus and com- 
promise necessary. Also States, because of their unique cir- 
cumstances and needs of their citizens, have enacted particular 
kinds of rules in very, as I said, narrow areas. 

Given that many in the industry: and the health plans, hospitals, 
doctors, right now have to comply with 50 different laws, that is 
their obligation now, we will greatly simplify that with a floor, with 
the greater simplification where we set that floor. 

Mrs. Johnson of Connecticut. Would you all agree that the rules 
should be the same for HCVA as for private plans and for all pro- 
viders and all State agencies? 

Mr. Clayton. Yes. The problem is now there are no laws in 
many areas. We desperately need some laws. Where I lived in New 
York, we saw people from Connecticut and New Jersey; and if you 
build a computer program that has to look and see whether this 
person is from New Jersey before you can display their medication 
list, and have to look and see if they are from Connecticut before 
you can look at their problem list, people will be used to treating 
someone, and then when they don’t see problems on the problem 
list, they may make mistakes in their judgments. When they use 
an information system, it has to be uniform. 

As we start going to telemedicine, which will erase all political 
boundaries in terms of where things get done, then the preemption 
issue becomes even more difficult. I would just point out, even 
though Janlori is one of my friends, that her opinion on preemption 
was not one of the conclusions of the working group, that that is 
her personal opinion, and the working group did not reach that 
conclusion. 

Dr. Smith. When you limit research to just within a particular 
State because that is the only place you can get permission to do 
that research, you have a tremendous problem with generaliz- 
ability. In other words, is it generalizable to other sections of the 
country, are there enough patients with that disorder or that par- 
ticular issue within that particular State. So the idea of being able 
to move beyond State boundaries is very important. In order to 
have an informed health policy, this not only relates to specific dis- 
eases, but it relates to the economics of health care, it relates to 
how we improve our health care system, it relates to how we pay 
for it, how we monitor it. It is a very broad issue, and that is why 
we need a strong Federal law. 

Mr. Jenkins. I think the truth may be also that the patchwork 
of laws may appear to be stronger in some instances as related 
there, but that may be a theoretical protection only if the laws are 
such patchwork that it is difficult to discern them, and that a 
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strong national framework would, in practice, be actually stronger, 
even though an editor or writer of an article like that might find 
it had been a reduction. 

Mrs. Johnson of Connecticut. My understanding is the adminis- 
tration has not recommended overriding State law, just creating a 
floor. Do all of you agree that is the right thing? 

Mr. Jenkins. No, I don’t. I think it is an area where we are so 
fluid as a nation now in this health care area, that we need a set 
of rules that is standardized and we need to be able to follow them. 

Mr. Clayton. I would, however, agree with Janlori, at least one 
idea, and I am thinking on my feet now. When a State mandates 
a certain data collection they are doing as a State, they might be 
able to have rules that pertain to that database. 

What we are against is the State regulating the use of health 
care information in the normal operation of delivering health care; 
if there were a certain database that was required just in one 
State, there could certainly be a law concerning that State-man- 
dated database, but not one that is in the normal operation of de- 
livering health care. 

So you might, following up on their suggestion, exempt specific 
types of databases, but not the ones that a physician or a nurse 
would be using in her general practice. 

Mrs. Johnson of Connecticut. Would you differentiate between 
patient-identified information and nonidentified information? 

Mr. Clayton. We definitely should differentiate and use, accord- 
ing to the need, legitimate need, for when it has to be identified. 

Mrs. Johnson of Connecticut. Mr. Kleczka. 

Mr. Kleczka. Mr. Jenkins, does your organization support a Pa- 
tients’ Bill of Rights that covers all health consumers in the coun- 
try, or only those consumers that the Federal Government has con- 
trol of or regulation over? 

Mr. Jenkins. We support rules that apply to the private plans, 
as well as the government plans, yes, sir. 

Mr. Kleczka. So you would support a Patients’ Bill of Rights 
covering all 150-plus health care consumers, not only the ERISA 
plan consumers? 

Mr. Jenkins. I am not sure of the position of the association on 
that. I better defer in speaking. 

Mr. Kleczka. I am trying to see if you share my problem with 
inconsistency on States rights. That is what I am trying to ascer- 
tain. 

Mr. Jenkins. I think Mr. Thomas pointed out there are situa- 
tions where, and I agree with his statement, there are situations 
where a full preemption is appropriate. 

Mr. Kleczka. I know your position on privacy legislation. I am 
asking your position on the Patients’ Bill of Rights. There is a con- 
troversy in the Senate over whether or not to have the States con- 
trol plans through their insurance commissioners’ officers, and only 
have Congress deal with the federally controlled plans for the Pa- 
tients’ Bill of Rights. 

Mr. Jenkins. My Association didn’t take a position on that. 

Mr. Kleczka. I think you have a note coming forward on that. 
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Mr. Jenkins. On the Patients’ Bill of Rights, the association sup- 
ported the ERISA plan’s approach that the Senate took. That is a 
note from the association staff. 

Mr. Kleczka. That indicates to me that on managed care reform 
you are letting the States govern. When it comes to health care pri- 
vacy, the States don’t know what they are doing and we should 
preempt them and the almighty Fed should regulate. 

Mr. Jenkins. I don’t think it is a matter of them not having the 
knowledge. There are good people who are on different sides of this 
issue at various points and decisions can and must he made. 

Mr. Kleczka. As a former State legislator and one from a State 
which has some exemplary protections in the medical records area, 
I think State legislators and the Governor should have the right to 
provide and afford protection to any degree for their consumers. I 
don’t think the national interests outweigh that to the extent which 
some of you folks on this panel and some on the other panel would 
dictate. 

Mr. Jenkins. I understand that, sir. 

Mr. Kleczka. Let me ask Dr. Clayton, who do you believe owns 
the medical records? Is it the health care provider or do you think 
that the patient is the owner of those records? 

Mr. Clayton. Most of us in the field don’t believe anybody owns 
the record. We are stewards. We act as the steward of that infor- 
mation, but nobody has really established who really owns it. 

Mr. Kleczka. So I as the health care patient have no direct own- 
ership or claim to those records? 

Mr. Clayton. I think what . 

Mr. Kleczka. Even though I paid for them in part or at times 
in total, if I don’t have insurance? 

Mr. Clayton. What most laws that are being proposed say is 
that the patient has the right to look at those records, know that 
those records exist. That is fair information practice. Whether they 
can say they own them and then physically remove them from a 
doctor’s office, I don’t think anyone would maintain that is true. 

Mr. Kleczka. Maybe I don’t own them, but I do have some con- 
trol over them? 

Mr. Clayton. If you own them, you can retrieve the property. 
But in this case you cannot retrieve it, which indicates to me you 
don’t really have title. It has been a sticky issue that has a lot of 
case law, and most people agree that we are stewards of the 
records. 

Mr. Kleczka. You are the health care provider. I am the patient, 
OK. Do you think I have the right to make judgments as to who 
should see those records? Basically an opt in, not an opt out. 

Mr. Clayton. I think if you wish to receive care and have some- 
one pay for that care, you need to be able to let the people who are 
providing care have access to the information they need to provide 
that care. 

Mr. Kleczka. For specific purposes, not for any and every pur- 
pose. 

Mr. Clayton. That is why I said in my statement that we 
strongly want to restrict the scope through policies. For example, 
an x-ray technician should have no information except the radi- 
ology results. A billing clerk who you call on the phone to complain. 
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“Why is my pharmacy bill so large? ” needs to see what medications 
you are on. They may need to see what laboratory tests you took 
to answer your complaint about how large the bill was. But they 
don’t need to see the results of those tests. 

So we go through, we have at Columbian Presbyterian, three dif- 
ferent categories of people and have listed them under what cir- 
cumstances that person is in and what geographic location. In 
other words, if you are in the emergency room, a nurse could see 
more than if the nurse was at the nursing floor. So you restrict the 
scope of access to what is the legitimate need to know. 

Mr. Kleczka. That access is all pretty relevant to the course of 
business, and unless somebody is just a snoop, I don’t see that 
much of a problem. The problem occurs when either the health care 
provider or some attendant group wants to give medical informa- 
tion to a third party or a fourth party, or when a doctor is selling 
patient information for a clinical drug trial where the physician re- 
ceives rather substantial sums as payment for disseminating the 
names of patients. 

Mr. Clayton. I think when you are using it for research, then 
it has to go through an accredited body that will determine need — 
so you don’t just give information. Right now you can, because 
there is no law. If you make it law, then you will prescribe the 
ways in which we can divulge knowledge that information. 

Mr. Kleczka. Let me ask any of the panelists, what was your 
reaction to the drugstore chain in Washington selling lists of cus- 
tomers and the drugs they were prescribed to a competing drug 
manufacturer. 

Mr. Clayton. Absolutely abhorrent. 

Mr. Kleczka. You can say it happened because of the absence 
of any medical privacy laws. What is your reaction to that? 

Mr. Clayton. Should be illegal. 

Mr. Smith. In my opinion, it is immoral, unethical, and should 
be illegal. 

Ms. Goldman. One of the wonderful things about that case is 
right after it became public, that many drugstores were making 
this information available, people around the country went crazy. 
It was a tremendous outcry and uproar. There was article after ar- 
ticle, and the chain drugstores that were responsible for this imme- 
diately eliminated the program. They didn’t fix it, they didn’t try 
to retool it in some way. They were doing it without patient knowl- 
edge, without their consent, and they eliminated the program. 
There are a couple of lawsuits ongoing on this right now. 

Mr. Jenkins. The same feeling here. 

Mr. Kleczka. I don’t think it is only a question of privacy for 
medical records, it is the entire question of privacy from the dis- 
semination of Social Security numbers and medical records. We all 
know that Social Security number release leads to identity fraud. 
We have a Federal statute on that now. There is heightened public 
awareness in this whole issue. That is why when we discussed a 
banking bill, the big contentious issue on the floor of the House 
was the privacy provision in that bill. 

Someone got up and said, we did this bill 2 years ago. Why 
wasn’t privacy a big issue then? Because even though some of us 
were talking about it then, the public is now becoming more aware 
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of it. You take any poll and 85 to 95 percent of the people say it 
is a big issue. 

During my last campaign, I did a poll. We asked people about 
Medicare and Social Security. We also asked about privacy, be- 
cause I had an interest in it. That scored the highest of constituent 
interest in my district. 

So, folks, if you think this is going to go away or we are going 
to be able to preempt States, I don’t think we will get away with 
it. The public is irritated to the point now where politicians like 
yourselves should be listening. 

I have to agree with the lady from Connecticut. Are we too late? 
Is the horse out of the barn? The Internet is there. I am frustrated, 
nervous and scared. We have to do something. We can’t let it go 
on. It is going to get, as they say in some parts of the country, 
worser. We don’t want it to get worser. We want it to get more bet- 
ter. 

Mr. Clayton. Everybody strongly argued that there needs to be 
strong penalties and strong legislation. Not one of us would dis- 
agree with that. 

Mr. Kleczka. Thank you. 

Mrs. Johnson of Connecticut. Thank you. I did want to just add 
for the record that the legislation for the patient protection that 
Mr. Thomas helped write and he and I both voted for did apply to 
all health plans, unlike the Senate bill. So I wouldn’t want to have 
any misinformation out there on that score. 

I do thank you all for your testimony. This is certainly a very dif- 
ficult area and a very important one. We look forward to working 
with you and the administration to see if we can’t get a bill that 
we can move through with some agreement on the difficult issues 
it poses. 

Thank you. 

[Whereupon, at 5:45 p.m., the hearing was adjourned.] 

[Submissions for the record follow:] 

American Association of 
Occupational Health Nurses 
Atlanta, GA 30341-4146 

July 27, 1999 

Committee on Ways and Means 
U.S. House of Representatives 
Subcommittee on Health 
1102 Longworth House Office Building 
Washington, D.C. 20515-6349 

The American Association of Occupational Health Nurses, Inc. (“AAOHN”) appre- 
ciates the opportunity to submit written testimony to the House Ways and Means 
Committee for the hearing record on the matter of confidentiality of personal health 
care information. Our primary purpose in submitting these comments is to urge 
Congress, in the strongest terms, to enact comprehensive medical records confiden- 
tiality legislation. We believe that for any medical record privacy bill to be truly 
meaningful. Congress must craft legislation that will ensure that all medical records 
are protected under the law regardless of the mode of payment or the setting where 
the health information is obtained or maintained. 

AAOHN is the professional association for more than 12,000 occupational and en- 
vironmental health nurses who provide on-the-job health care for the nation’s work- 
ers. Occupational health nurses are the largest group of health care providers at the 
worksite. AAOHN has had a long-standing involvement in the confidentiality of 
health information debate and continues to work vigorously to ensure that employee 
medical records created and maintained at the worksite or any occupational health 
clinic are protected from improper disclosure. 
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Personal health information generated or maintained at the workplace or in con- 
nection with an individual’s employment is as personal and sensitive as that col- 
lected in more traditionally thought of health care settings, and therefore, must be 
extended the same confidentiality protections. AAOHN trusts Congress recognizes 
the high degree of public concern about the very real potential for employment dis- 
crimination based on health information. Worksite health records frequently docu- 
ment medical and/or health surveillance activities, pre-job placement and fitness-to- 
work physical examinations, and employee assistance program assessments, as well 
as information collected through voluntary worksite wellness programs. Clearly, 
such information, if improperly disclosed, may be used in ways harmful to an indi- 
vidual’s interests. 

A. Balancing Individual Employee Privacy with Employers Needs 

Indeed, AAOHN maintains that an individual employee’s right to privacy must be 
balanced with employers’ legitimate need for certain personal health information 
when considering fitness to work, workplace safety, workers’ compensation benefits, 
disability job accommodations, or some employer-sponsored benefits. Employers 
must be permitted to fulfill their obligations under laws such as the Americans with 
Disabilities Act, the Family Medical Leave Act, and the Occupational Safety and 
Health Act, but employers need not be granted unfettered access to an employee’s 
entire medical record to meet these legal requirements. 

It is well documented that employers often inappropriately use employees’ per- 
sonal health information in making personnel decisions. For example, a 1996 re- 
search study by the University of Illinois revealed that at least one-third of the For- 
tune 500 company respondents admitted using employee medical records in making 
employment-related decisions. ^ Furthermore, AAOHN members can attest that they 
are often pressured by employers to release a worker’s entire medical record or to 
divulge unnecessary personal health information of employees.^ 

B. Goals of Federal Privacy Legislation 

Federal legislation can protect individual privacy and meet employers’ legitimate 
needs for some employee protected health information (“PHI”) if it includes safe- 
guards that (1) limit the scope of individually identifiable PHI disclosed to an em- 
ployer to that information necessary to answer a legitimate workplace health-re- 
lated question and (2) create firewalls restricting access to employees’ raw medical 
record by officers, management, and other employees responsible for personnel deci- 
sion-making. It is essential to recognize that it is the health care provider, not an 
employer’s administrative, human resource, or management personnel, who is the 
professional qualified to interpret medical data and determine what information is 
relevant for a particular health situation and should be disclosed. For example, 
AAOHN unequivocally believes that in cases of fitness-to-work examinations (e.g., 
medical surveillance records, health screening, return-to-work physical records) 
health care professionals should provide the employer with a written medical deter- 
mination of an employee’s health status based upon the medical record rather than 
handing the employer the actual record itself. Any employer entity would be hard- 
pressed to assert that its administrative, human resource or management personnel 
have the requisite qualifications to render a medical judgement as to the health of 
an employee based on their review of a medical record. 

Limiting the amount of PHI an employer may learn about his or her employee 
is not a novel or untested approach. The “bloodborne pathogens” regulations issued 
by the Occupational Safety and Health Administration (“OHSA”) explicitly require 
that such information must be kept confidential and “not disclosed or reported with- 
out the employee’s express written consent to any person within or outside the 
workplace except when required by this section or as may required by law.”® The 
law also narrows the extent of PHI provided to employers to that which is necessary 
to make a determination regarding work fitness. To this end, the regulation states 
that the “healthcare professional’s written opinion . . .shall be limited to whether 


1 David F. Linowes, Privacy in the Workplace, University of Illinois at Urbana-Champaign, 
April 1996 (copy on file with AAOHN). 

®See, e.g.. Health Care Information Confidentiality: Hearings Before the Committee on Labor 
and Human Resources of the United States Senate, 105th Cong. (Feb. 26, 1998) (oral and writ- 
ten testimony of AAOHN). 

3 29 C.F.R. Ch. XVll, § 1910.1030 (1998). 
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(appropriate treatment) is indicated for an employee, and if the employee has re- 
ceived such (appropriate treatment). 

C. AAOHN Support 

Because of the importance of this issue, AAOHN will only support a federal med- 
ical records confidentiality hill that ensures worksite health records are recognized 
as PHI and that includes statutory language limiting intra-employer use and disclo- 
sure of PHI. To date, the only House hill including these types of provisions is H.R. 
1941.® The “Medical Information Protection Act of 1999,” H.R. 2470, introduced hy 
Representative Greenwood does not cover worksite medical records. As originally 
drafted the Greenwood hill contained the same protections found in S. 881 intro- 
duced by Senator Bennett. Nevertheless, Representative Greenwood has stated for 
the record that these safeguards were inadvertently removed in the final version of 
his bill and that it is his intention to do all in his ability to add these protections 
to H.R. 2470.® 

To ensure that worksite health records are recognized as PHI and that the special 
concerns surrounding health information generated or maintained at the workplace 
are covered, AAOHN believes that at a minimum the following amendments to H.R. 
2470 are critical: 

1. Add the term “assessment” to the definition of “health care” in section 2(6) to 
ensure that all types of health data generated at the worksite are “protected health 
information.” 

2. Amend the definition of “health plan” to exclude 42 U.S.C. § 300gg-9 1(c)(1)(G), 
“coverage for on-site medical clinics,” from the benefits not included within the term 
“health plan” 

3. Add new § 201(c): 

(c) APPLICABILITY TO EMPLOYERS. — An employer may use an employee or 
agent to create, receive, or maintain protected health information in order to carry 
out an otherwise lawful activity, provided that 

(i) disclosure of protected employee health information within the entity is com- 
patible with the purpose for which the information was obtained and limited to the 
information necessary to accomplish the purpose of disclosure and (ii) the employer 
prohibits the release, 

transfer or communication of the protected health information to officers, employ- 
ees, or agents responsible for making work assignment decisions with respect to the 
subject of the information. 

(1) The determination of what constitutes the information necessary to accomplish 
the purpose for which the information is obtained shall be made by a health care 
provider, except in situations involving payment or health plan operations under- 
taken by the employer. 

AAOHN appreciates the opportunity to offer our comments regarding the impor- 
tance of strong medical records privacy legislation to our nation’s workers. In sum- 
mary, effective federal privacy legislation must: 

Define PHI broadly enough to include all medical records generated or maintained 
at the worksite or in connection with employment for purposes other than for treat- 
ment, pa3Tnent, or health care operations; 

Build barriers designed to restrict intra-entity disclosure in order to prevent man- 
agement misuse of workers’ health records without jeopardizing a company’s ability 
to operate safely and efficiently; and 

Recognize that the health care professional who creates or maintains worksite 
records is the appropriate person, not employer administrative, human resource, or 
management personnel, to determine whether a PHI disclosure is consistent with 
the purpose for which the information was lawfully obtained and limited to the min- 
imum disclosure necessary to accomplish the purposes of the disclosure. 

We urge Congress to keep these principles in mind when drafting any medical 
records privacy bill and look forward to working with Members of the Committee 
on Ways and Means on this important issue during the days ahead. 


*Id. 

® Senate bills S. 881 and S. 573 are notable for worksite protections. 

® Legislative Hearing Regarding: H.R. 2470 — Medical Information Protection and Research 
Enhancement Act of 1999 Before the Subcomm. on Health and Environment of the House Com- 
mittee, 106th Cong. (July 15, 1999) (opening statement of Rep. Greenwood). 
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Statement of Ameriean Psyehiatrie Association 

Introduction 

APA, a medical specialty society representing 40,000 psychiatric physicians na- 
tionwide, appreciates the opportunity to provide a statement for this hearing. We 
believe patient privacy issues are one of the key issues before the Congress, and we 
greatly appreciate the Committee’s interest in passing medical records privacy legis- 
lation. 

As changes in technology and health care delivery have outpaced the statutory, 
common law, and other protections that traditionally have ensured patient confiden- 
tiality, the level of confidentiality enjoyed by patients has eroded dramatically. We 
must seize this valuable opportunity to protect and restore needed confidentiality 
protections. 

But APA also urges you to craft legislation that will avoid the unintended con- 
sequences of many of the confidentiality bills pending before the Congress. Let’s give 
a couple of real world examples of the impact of several of these bills on patients. 

You go into your doctor’s office, and the doctor gives you a comprehensive phys- 
ical. He takes your blood and runs some lab tests. Sounds harmless enough. After 
all you never signed anything giving permission for your personal information to be 
broadly used and disclosed. You were never told your medical record would be 
broadly used, and nothing was sent to you. But it will be. Your medical records can 
be used for commercial research purposes. Without your consent or knowledge. Your 
age, sex, demographic information, psychiatric status and other information can be 
used for insurance underwriting and other broadly and vaguely defined health care 
operations purposes. Again without your consent or knowledge and even though ag- 
gregate, i.e. non-personally identifiable information would suffice. Even the banker 
reviewing your mortgage application can review your medical record without your 
consent or knowledge. 

But certainly you think at least my employer is specifically prohibited from gain- 
ing access to this information. Not true. Several of the major proposals before the 
Congress lack the strong specific protections that are needed to insure that super- 
visory personnel cannot gain inappropriate access to your medical record. APA urges 
Committee members to avoid including any provisions in your legislation that would 
allow these disclosures to occur. 

The Need for Federal Legislation 

APA believes medical records confidentiality is one of the most important issues 
to come before the Committee this year. Our medical record, when it relates to con- 
ditions as varied as high blood pressure, communicable diseases, Alzheimer’s dis- 
ease, mental illness and substance abuse, domestic violence, sexual assault informa- 
tion, terminal illnesses, HIV/AIDS, cancer, eating disorders, sexual function or re- 
productive health issues, as well as many other conditions, is highly sensitive. 

But whether or not we are affected by these illnesses, medical records privacy 
issues affect us all. Today’s comprehensive medical assessments and wellness ques- 
tionnaires can contain questions about patients’ sexual behavior, social relation- 
ships, state of mind, and psychiatric status — even if patients are not receiving med- 
ical treatment relating to these issues. The forms can also contain extensive per- 
sonal and financial information. 

Confidentiality is a Requirement for High Quality Medical 

Care 

Common sense, the experience of physicians and patients, and research data all 
show that privacy is a critical component of quality health care. The sad fact is that 
the health care system has, on occasion, not earned the trust of patients, and many 
patients do not trust the system to keep their information confidential. In many 
cases, the result has been that physicians are not able to provide the best possible 
quality care nor reach many individuals in need of care. 

Some patients refrain from seeking medical care or drop out of treatment in order 
to avoid any risk of disclosure. And some simply will not provide the full informa- 
tion necessary for successful treatment. At other times, physicians are approached 
by patients who ask us not to include certain information in their medical record 
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for fear that it will be indiscriminately used or disclosed. The result of all these be- 
haviors resulting from patients’ reasonable concerns is unfortunate. More patients 
do not receive needed care and medical records’ data that we need for many pur- 
poses, such as outcomes research, is regrettably tainted in ways that we often can- 
not measure. 

The solution is not to take short cuts that will further deprive patients of their 
rights. Instead, we must enact into law meaningful medical records privacy legisla- 
tion based on the voluntary informed consent of patients and reliance upon the full- 
est possible use of deidentified and aggregate patient data. In this way the full ad- 
vantages of patient privacy as well as the benefits of new medical technology can 
be harnessed. 

Informed, voluntary, and non-coerced patient consent prior to the use and disclo- 
sure of medical records should be the foundation of medical records confidentiality 
legislation. As a general principle, we believe that the American Medical Associa- 
tion’s position — that patient consent should be required for disclosure of information 
in the medical record with narrowly drawn and infrequent exceptions permitted for 
overriding public health purposes — is eminently reasonable. 

The Special Sensitivity of Mental Health Information and 
THE U.S. Supreme Court’s Jaffee Decision 

Patients often refrain from entering psychiatric treatment because of concerns 
about confidentiality. Not only do patients refrain from telling family members and 
close friends the information they share with their therapist, but some may not even 
tell their family members that they are receiving mental health treatment. Often, 
if the information were disclosed to a spouse or an employer it might jeopardize 
their marriage or employment. But even the privacy protection afforded to psycho- 
therapy notes has eroded so much in recent years that many psychiatrists and other 
mental health professionals have stopped taking notes or take only very abbreviated 
notes. Without the very highest level of confidentiality, patients receiving mental 
health services will be less likely to enter treatment and less likely to remain in 
treatment. Worse yet, if confidentiality is not protected, the treatment patients re- 
ceive will be less effective. 

For these and other reasons, the U.S. Supreme Court recognized the special sta- 
tus of mental health information in its 1996 Jaffee v. Redmond decision and ruled 
that additional protections for mental health information are needed. The Court 
held that “Effective psychotherapy depends upon an atmosphere of confidence and 
trusta... disclosure of confidential communications made during counseling sessions 
may cause embarrassment or disgrace. For this reason the mere possibility of disclo- 
sure may impede the development of the confidential relationship necessary for suc- 
cessful treatment.” 

It is also worth recognizing that the extent of mental illness is widespread. Ac- 
cording to the World Health Organization mental illnesses account for four out of 
ten of the leading causes of disability. APA urges members of this committee not 
only to protect the letter of the Jaffee decision but indeed to protect its spirit by 
including appropriate provisions in the legislation. 

Provisions Needed in Congressional Legislation 

It is not our intention to provide a detailed analysis of each bill before Congress. 
Instead, APA would like to recommend several key provisions that we believe 
should guide the Committee in its deliberations. 

Preemption. The most important medical records privacy issue before the Com- 
mittee is to insure that stronger state medical records privacy laws are preserved 
and that states’ ability to enact stronger medical records privacy laws are preserved. 
States have adopted valuable protections for patients, including laws limiting the 
disclosure of pharmacy records and laws blocking insurers’ access to verbatim psy- 
chiatric notes. States are also actively considering numerous additional medical 
records proposals. In fact, the National Council of State Legislatures estimates that 
a total of 56 medical records confidentiality bills have passed through at least one 
chamber of a state legislature. We must not block states’ efforts to protect citizens’ 
medical privacy. We recommend that the Committee adopt a floor preemption ap- 
proach, allowing stronger state medical records privacy laws to be preserved. 

Consent. APA believes three principles should govern sections of the legislation 
concerning authorization and consent for disclosure. First, patients themselves 
should decide whether or not personal health information is disclosed. Consent be- 
fore use and disclosure of medical records is critically important. This time-tested 
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approach should be preserved and strengthened in order to remain meaningful in 
the changing world of health care delivery. In general, whatever problems may now 
exist with confidentiality of health information are derived from our failure to ob- 
serve this principle. No one is in a better position than patients themselves to iden- 
tify sensitive information and to determine to whom it ought not to be revealed. 
Those who would alter this traditional approach have failed to justify such a radical 
change. 

Second, identifiable personal health information should be released only when 
deidentified data is inadequate for the purpose at hand. Third, even when consent 
has been obtained, disclosure should be limited to the least amount of personal 
health information necessary for the purpose at hand. This is consistent with our 
recognition of the importance of protecting medical privacy. 

These principles have implications for some of the major policy questions regard- 
ing authorization of disclosure. For patients to retain meaningful control over per- 
sonal health information, prospective consent for routine disclosures of identifiable 
information should be largely limited to information needed for treatment and pay- 
ment purposes. Other health care operations can usually be accomplished with 
deidentified data. With such a provision, a strong incentive will exist for the use 
and further enhancement of technology to perform a wide array of administrative 
functions. 

Employee Protections. Millions and millions of Americans have great concern 
about the threat to confidentiality of their medical records due to employer access. 
Whether it is idle gossip by individuals with access to medical records, employer re- 
view of identifiable medical records data, or supervisors’ inappropriate interest in 
the personal lives of their employees we must protect employees right to medical 
records privacy. Wouldn’t most people want to decide if anyone in their company, 
not to mention their supervisor, would know if they obtained medical care from a 
psychiatrist, from a cardiologist, from an obstetrician/gynecologist, or from an 
oncologist? We believe that the strong, explicit protections are needed in this area. 

Health Care Operations. APA is very concerned by the definition of “health care 
operations” in many of the bills before the Congress. Entities providing health care 
can use and disclose this information for “operations” purposes, i.e. many purposes 
not directly related to treating a patient or performing payment or reimbursement 
functions. Some of the terms that are used to define “operations” are quite vague 
and broad and could endanger patient privacy. Do we really want to permit patients 
to be terminated from their health care coverage because they don’t want their per- 
sonal records to be used for largely commercial functions that can be performed with 
aggregate data? 

Needed Protections for Particularly Sensitive Medical Information. As indicated 
above, especially sensitive information, including mental health information needs 
to receive a very high level of protection. Indeed, the U.S. Supreme Court itself in 
its Jaffee decision recognized that additional privacy protections, above and beyond 
those afforded to other health information, are needed to insure effective psychiatric 
care. APA believes that in order to promote high quality medical care and patient 
privacy, the Congress should pass legislation that provides a level of protection high 
enough so that no class of information needs additional protections. However, in the 
event that the Congress proceeds with legislation that does not meet this test, 
strong additional privacy protections will clearly be needed for mental health infor- 
mation. Most important among these are protections to prevent access by insurers 
to verbatim psychiatric notes. 

Self Pay. If individuals enter into a private contract with a physician and pay for 
those medical services out of their own pocket, it is difficult to understand why the 
government or a health plan should compel them to sign a form allowing their med- 
ical information to be broadly disclosed beyond the treatment team. Both liberal 
members of Congress who support personal privacy and members of Congress who 
support medical savings accounts and private contracting under Medicare should 
recognize the importance of strong self-pay provisions in medical records confiden- 
tiality le^slation. 

Protections from Overzealous Actions by Police. APA strongly believes that strong 
protections are required in this legislation including a requirement that law enforce- 
ment agents obtain judicial approval based on a probable cause standard before they 
are granted access to individually identifiable medical records. This approach would 
allow legitimate law enforcement investigations to proceed, without unnecessarily 
jeopardizing the privacy of sensitive health information. APA further believes that 
the Committee should incorporate a requirement that protected health information 
obtained pursuant to a court order for one investigation should not be used for any 
other investigation, except a secondary investigation arising out of or directly re- 
lated to the original investigation. Finally, APA urges that law enforcement agen- 
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cies and officials should be subject to the same requirements for protecting individ- 
ually identifiable health information obtained pursuant to a court order as apply to 
other recipients of protected health information, including health providers and pay- 
ers. 

Conclusion 

As physicians, we take an oath first stated by Hippocrates that, “Whatsoever 
things I see or hear concerning the life of men, in my attendance on the sick... I will 
keep silence thereon, counting such things to be as sacred secrets.” In order to make 
sure that doctor-patient confidentiality continues to protect patients in the new mil- 
lennium, I strongly urge the Committee to provide the highest possible level of con- 
fidentiality in your lemslation. 

We thank you for this opportunity and we look forward to working with the Com- 
mittee on these important issues. 


Statement of American Society of Health-System Pharmacists, Bethesda, 

MD 

Re: Confidentiality of Health Information 

The American Society of Health-System Pharmacists (ASHP) supports responsible 
federal legislation to ensure that patients will be comfortable communicating fully 
with their pharmacists, physicians, and other members of the health care team, 
with the knowledge that their sensitive medical information will not be disclosed for 
illegitimate purposes. ASHP is the 30,000-member national professional association 
that represents pharmacists who practice in hospitals, health maintenance organiza- 
tions, long-term care facilities, home care, and other components of health care sys- 
tems. 

ASHP believes the patient should have the right to access and review his/her 
medical records, and the ability to correct factual errors. Patients should also have 
the right to know who has access to their medical records, and authorize how their 
medical information is or will be used. ASHP recognizes that patients view certain 
medical information to be particularly sensitive. Nevertheless, ASHP believes all 
medical information is sensitive and should be treated with the utmost protection. 

ASHP believes that pharmacists must have access to patient health records in 
order to provide quality care and ensure the safe use of medications. ASHP also be- 
lieves that with access to the patient’s health record comes the pharmacist’s profes- 
sional responsibility to safeguard the patient’s rights to privacy and confidentiality. 
Within health systems, communication among all authorized health care practi- 
tioners is to be encouraged and in no way restricted, while ensuring patient con- 
fidentiality and privacy. 

Pharmacists also participate extensively in many clinical trials involving drugs. 
ASHP believes that all clinical trial data must be recorded and stored in such a way 
that the subject’s rights of privacy and confidentiality are protected. Adequate safe- 
guards are already in place to protect a patient’s health care information during the 
clinical trial process, including the storage and retrieval of data. As part of the es- 
tablished process of informed consent, patients receive a statement describing who 
will have access to patient identifiable information. This includes personnel from the 
study sponsor or the FDA for compliance purposes as well as institutional personnel 
who audit the information for quality or financial integrity. 

ASHP believes that pharmacy residency and other training programs must imple- 
ment policies and procedures to assure the confidentiality of patient medical 
records, while recognizing that pharmacy students and residents must have access 
to medical records in the course of their training. 

ASHP believes that in cases where patient information is aggregated into a larger 
population and used for legitimate research and statistical measurement, there is 
no potential for a breach of patient confidentiality because it is not uniquely identifi- 
able. Therefore, a specific authorization for access to this information by individual 
patients is unnecessary. 

ASHP believes there should be a minimum standard adopted in federal law for 
protection of patient health information. 

ASHP believes that strict governmental protections, with appropriate penalties for 
violations, must be in place to preclude the dissemination of patient-identifiable in- 
formation outside of the health system (i.e., to an unauthorized third party) for any 
purposes that do not involve the direct provision of patient care or reimbursement. 
Health systems must have written policies and procedures in place to guard against 
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the unauthorized collection, use, or disclosure of protected health information. Strict 
governmental penalties including criminal sanctions for egregious violations should 
be considered. However, inadvertent infractions with no intent to harm should be 
subject to the health care organization’s disciplinary process or civil penalties. 

The American Society of Health-System Pharmacists is grateful for the oppor- 
tunity to submit its views in writing on the subject of confidentiality of patient med- 
ical records. Questions regarding ASHP’s policy in this area should be directed to 
Ellen C. Evans, Director, Federal Legislative Affairs, Government Affairs Division, 
301-667-3000 ext. 1326. 


Minneapolis, MN 55416 
August 1, 1999 


A.L. Singleton 

Chief of Staff, Committee on Ways and Meams 
U.S. House of Representatives 
1102 Longworth House Office Building 
Washington, DC 20515 


Dear Mr. Singleton: 


Confidentiality of my patient records is so important to me that should I feel it 
is no longer secure, I would think twice before receiving medical treatment for a se- 
rious illness. Thank you for giving me the opportunity to express my concerns to 
the July 20th hearing on medical confidentiality. 

Patients and doctors have a special relationship requiring the divulging of con- 
fidential information that sometimes even the best of friends or family members do 
not share. There must be trust between the doctor and patient to allow for sharing 
what could be damaging information in order to allow timely and appropriate med- 
ical care. 

For the integrity of this relationship and the health care system in general, it is 
important that patients have informed, voluntary consent prior to the sharing of in- 
formation. The bills before the House and Senate do not protect this right. Rather, 
they would create a federal law allowing researchers, government agencies, law en- 
forcement, and managed care organizations to enter my medical records at will. I 
am very uncomfortable with other people reviewing my personal medical records 
without my consent. They would also limit the right of my state legislators to enact 
stronger privacy legislation that Congress enacts. 

As an American, I am entitled to certain rights, including the right of protection 
against unlawful search and seizure by others of my personal property. This in- 
cludes personal information about myself. Also, the Nuremberg Code protects me 
against becoming an unwilling research subject. 

Unconsented access to my medical records will not only violate my Constitutional 
rights as a citizen of the United States of America, it will leave me vulnerable to 
employment, insurance, and medical discrimination. 

I urge you to truly protect my confidentiality by assuring patient consent prior 
to all medical record access. I also urge you to make the research consent form sepa- 
rate from the authorization to treat form and that it be made perfectly clear to the 
patient that their medical care is not in jeopardy should they elect NOT to authorize 
research on there medical records. 

The doctor/patient relationship has eroded too much already with the induction 
of managed care into our medical community. As far as I’m concerned, medical pri- 
vacy is the last bastion protecting that relationship and guaranteeing quality of 
care. When you destroy the sacred trust between a doctor and her patient, you com- 
promise the physician’s ability to practice medicine. Further, when patients no 
longer trust their physician, then the whole truth surrounding their medical condi- 
tion will not be forthcoming and your research is tainted from the start. 

Please pass REAL medical privacy legislation that is strong on protection for the 
patient, not on protection for the researcher. Otherwise, it is guaranteed that PRI- 
VACY will have its day in court. 

Thank you for your time. 

Sincerely, 


Joyce E. Anderson 
Citizen of the United States of America 
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Jefferson, City, MO 65109 
July 21, 1999 

Mr. A. L. Singleton 
Chief of Staff 

Committee on Ways and Means 
U.S. House of Representatives 
1102 Longworth House Office Building 
Washington, D.C. 20515 

Dear Mr. Singleton: 

Confidentiality of our patient records is very important to us. Thank you for giv- 
ing us the opportunity to lend our comments to the July 20th hearing on medical 
confidentiality. 

We would like to let you know what we, as private law-abiding citizens feel it is 
necessary for you to protect our medical records. Really protect it, not just say you 
tried to protect it, or that you thought you protected it. 

First and foremost, no information should be released without our informed vol- 
untary consent. There should be no coercion to sign. We should not be threatened 
with denial of care or additional expenses. In addition, it should be clearly stated 
on the consent form who the information will go to if we give our consent, and that 
we can limit the list. It should be clearly stated that consent is not required for us 
to receive treatment. It should also be clearly stated that we can revoke the consent 
at any time. The consent should be only for a limited period of time. We realize that 
if the doctor does the billing or if we have insurance pay the bill, we have to release 
information, but the information released should be limited to the claim for pay- 
ment. It concerns us that HMDs and insurance companies are creating patient pro- 
files with the information they receive. We think that is wrong. To get health care 
should not mean that we must give away all the intimate details of our life for 
someone else to track and sell. 

We also want you to know that we believe that state legislatures should not be 
restricted to whatever law Congress enacts. We want our legislators to have the 
right to protect us to the greatest degree possible. Because the federal government’s 
power is limited by the Constitution’s according to the 10th Amendment, states are 
given the right to make decisions best for their own constituents. The federal gov- 
ernment and Congress should not try to revoke it. 

We have heard that the federal government and medical researchers believe that 
we should give up our right to privacy for the greater good and the public health 
of all. We also read that officials want us to let the police look at our records with- 
out our consent. Forcing us to display the intimate details of our life to the govern- 
ment and the police will not benefit our health. Given our ability to cross match 
data, we’re not even sure that our unidentified data is unidentifiable, but we would 
have no problem letting our information be used if it was guaranteed that we could 
not be identified or found. 

If it becomes law for the police, profit hungry researchers, and government to get 
into our records without our consent, we can assure you that we no longer will be 
forthright with our doctors. Just knowing the government is going to look willy-nilly 
through our medical records and create databases with our name and information 
on them will damage the relationship we have with our doctor. We’re particularly 
concerned that whatever information is collected on us will be used against us. 
Maybe by insurance companies or employers, or regarding certain illnesses, by the 
people who hand out passports and drivers’ licenses. These are not small issues. 

There are few things more necessary to our freedom than our privacy. Imagine 
having to weigh every word and nuance when we go into the doctor. This could 
bring us into the black market for medical care or mental health. We want to trust 
our doctor, not fear him. He’s supposed to he there to protect us, not hurt us. Every 
day, we see privacy being taken away. We would like you to help us protect our 
patient and privacy rights when you write this law. We don’t care about the incon- 
venience it might make for health plans and researchers. We have ourselves to pro- 
tect. Please keep us in mind. 

Sincerely, 


Matthew and Carrie Burcham 
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Concerned Parents for Vaccine Safety 

Ely, NV 
August 3, 1999 

A.L. Singleton 
Chief of Staff 

Committee on Ways and Means 
U.S. House of Representatives 
1102 Longworth House Office Building 
Washington, DC. 20515 


Dear Members of Congress: 


Please include these written comments as part of the official record. 

I am writing to urge all of you to pass legislation which would require the written 
consent of all patients in order to access, share, or enter personal medical informa- 
tion into any database. We, Concerned Parents for Vaccine Safety, are extremely 
concerned about the possible invasion of medical privacy that is about to take place 
in the form of national databases, etc. 

No one’s personal medical information should be entered into ANY database with- 
out their written permission. Yet this is going on all across the country. In Wash- 
ington state, infants are being entered into a database called Child Profile at birth 
without the parent’s knowledge, much less consent. This is wrong. The government 
does not have the right to tag and track individuals for any purpose. Medical choices 
are exactly that, choices and are between the individual and the physician. These 
choices as well as other medical information should remain between those two par- 
ties and no one else without the explicit permission of the patient. 

If something is not done soon, we can never go back. Once unique personal identi- 
fiers are assigned and once we open the flood gates and let anyone and everyone 
have access to private citizens’ medical information, the sky is the limit for abuse, 
punishment, and discrimination. Please allow the American public to keep what lit- 
tle freedom and privacy they have left. Do not allow the creation of unique personal 
identifiers. Do not allow access to personal health information to every Tom, Dick 
and Harry. Do not allow American citizens to have their last little bit of privacy 
violated. Do not allow American citizens to be tagged and tracked like a herd of cat- 
tle. There is no good reason to allow such things to happen. We are all individuals 
with hopes, dreams and lives. We deserve to control our own personal health infor- 
mation and we do not deserve to be punished for our choices or for heath histories 
which might leave something to be desired. We beg of you, PLEASE PROTECT 
OUR PRIVACY!!! 


Sincerely, 


Dawn Winkler 

Vice President 


Olsson, Frank, and Weeda, P.C. 

Attorneys at Law 
August 3, 1999 

The Honorable Bill Thomas 

Chairman, Committee on Ways and Means 

Subcommittee on Health 

United States House of Representatives 

Washington, DC. 20515 

Dear Chairman Thomas: 

I am writing to clarify the record of your Subcommittee’s July 20, 1999 hearing 
regarding confidentiality of health information. At the end of the July 20 hearing, 
a Member of the Subcommittee asked a question the premise of which was that last 
year Washington area drug stores sold protected health information to a competing 
pharmaceutical firm. The premise of this question was apparently based on inac- 
curate press reports that were later retracted. 

In a February 15, 1998, front-page story and February 18, 1998 editorial, the 
Washington Post asserted that Elensys used patient prescription information it re- 
ceived from CVS and Giant for marketing purposes and implied that Elensys sold 
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patient prescription information to pharmaceutical manufacturers. That is wrong. 
Elensys does not use prescription information for marketing purposes and has never 
sold, given, or provided in any way, private pharmacy customer information to any 
third party. 

Elensys is a small business with 20 employees based out of Woburn, Massachu- 
setts. Elensys supports pharmacies in implementing important prescription compli- 
ance, therapy management, and education programs. By contract, all of the services 
Elensys performs are on behalf of and at the direction of the pharmacy. Elensys’ 
contracts with pharmacies expressly prohibit Elensys from utilizing confidential pre- 
scription data for its own internal purposes or sharing the information with anyone 
outside the scope of the agency relationship. 

Elensys is committed to supporting pharmacists in offering important healthcare 
services to their customers. Most importantly, Elensys has always protected the pri- 
vacy of each patient’s health information. 

Sincerely, 


Karen A. Reis, Counsel 

Elensys, Inc. 


Independence, MO 64055 

July 21, 1999 

A. L. Singleton, Chief of Staff 
Committee on Ways and Means 
US House of Representatives 
1102 Longworth House Office Bldg 
Washington, DC. 20515 


Dear Mr. Singleton: 


I am interested in protecting patient privacy, preventing discrimination, and con- 
trolling my own health information. 

Confidentiality of my patient records is very important to me. Thank you for giv- 
ing me the opportunity to lend my comments to the July 20th hearing on medical 
confidentiality. 

Patients and doctors have a special relationship requiring the divulging of con- 
fidential information that sometimes even the best of friends or family members do 
not share. There must be trust between the doctor and patient to allow for sharing 
what could be damaging information in order to allow timely and appropriate med- 
ical care. 

For the integrity of this relationship and the health care system in general it is 
important that patients have informed voluntary consent prior to the sharing of in- 
formation. The bills before the House and Senate do not protect this right. Rather 
they would create a federal law allowing researchers, government agencies, law en- 
forcement, and managed care organizations to enter my medical records without my 
authorization. They would also limit the right of my state legislators to enact 
stronger privacy legislation that Congress enacts. 

As an American, I am entitled to certain rights, including the right of protection 
against unlawful search and seizure by others of my personal property. This in- 
cludes personal information about myself. Also, the Nuremberg Code protects me 
against becoming an unwilling research subject. 

Unconsented access to my medical records will not only violate my Constitutional 
rights as a citizen, it will leave me vulnerable to employment, insurance, and med- 
ical discrimination. I urge you to truly protect my confidentiality by assuring patient 
consent prior to all medical record access. 

Sincerely, 


Sandra K. Greiner 


Statement of Health Insurance Association of America 

Confidentiality of Health Information 

The Health Insurance Association of America (HIAA) appreciates the opportunity 
to submit a written statement for the record for the hearing on “Courier New” Con- 
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fidentiality of Health Information “Courier New” held on July 20, 1999 by the Com- 
mittee on Ways and Means Subcommittee on Health. 

HIAA is the nation leading advocate for the private, market-based health care 
system. Its more than 269 member companies provide health, long-term care, and 
disability income insurance coverage to more than 115 million Americans, and offer 
a range of health care financing products, including indemnity health insurance, 
managed care plans, preferred provider organization services, Medicare Supple- 
mental (“Medigap”) Insurance, Medicare Select, and Medicare-FChoice. 

HIAA member companies have had, and will continue to have, strict standards 
in place for protecting patient medical records. In addition, HIAA has been a vocal 
proponent of the need to protect individually identifiable health information through 
balanced federal legislation that protects personal health information from public 
disclosure while ensuring that information is available to carry out basis insurance 
and health plan functions. 

Both public and private payers require personal health information in order to ad- 
minister health care benefits. As noted by the General Accounting Office (GAO), 
[plersonally identifiable information is essential to the Health Care Financing Ad- 
ministration (HCFA) day-to-day administration of the Medicare Program.” i Of pri- 
mary importance is the need for public and private payers to use personally identifi- 
able patient information to pay billions of health care claims annually. Other vital 
activities that require the use of personally identifiable patient information by pub- 
lic and private payers are: 

• Determination of eligibility for benefits; 

• Determination of risk-adjustment mechanisms; 

• Detection and prevention of fraud and abuse; and 

• Review appropriateness and quality of care received by beneficiaries. 

In its July 20, 1999 testimony, the GAO also noted several problems faced by 
HCFA when there are non-uniform state laws for confidentiality of health informa- 
tion. First, if HCFA could not receive uniform health information from sources in 
all states, there could be an adverse affect on internal operations such as rate set- 
ting and quality assurance monitoring. Second, barriers to information gathering 
could affect the ability of government analysts to perform public policy analysis and 
health services research because of the burden resulting from compliance with var- 
ious, non-uniform state laws. 

Private payers face similar problems when state confidentiality laws are not uni- 
form. The current patchwork of state laws relating to patient confidentiality leaves 
consumers with fewer protections in some states than in others. Moreover, laws and 
regulations governing the collection, use, transmission, and disclosure of health in- 
formation reach to the heart of the insurance transactional process and thus have 
a major impact on insurers’ core business and systems functions. These critical func- 
tions increasingly are carried out across state lines by insurance companies and con- 
tractors through the use of computerized data transaction systems. Therefore, 
health information confidentiality is an area of insurance law in which a significant 
degree of non-uniformity could impede the industry’s ability to operate efficiently 
and meet the demands of its customers. The resources that must be devoted to com- 
pliance with differing state laws in this area can be significant. Adding a new layer 
of federal regulation without preemption of existing state confidentiality laws would 
only compound the difficulty. As a result, HIAA would support only those pieces of 
federal legislation that preempted most state laws. 

Consumers’ concerns over the confidentiality of health information must be ad- 
dressed. At the same time, however, we must be careful not to adopt overly prescrip- 
tive legislation that undermines the ability of the health care industry to provide 
these same consumers with the high quality, affordable health care services. 

Health information is the lifeblood of the health care system. The days of a pa- 
tient seeing only a single family practitioner have ended. Today, patients obtain 
care from a diverse group of health care practitioners, such as specialists and allied 
health care professionals. In this environment, effective care can only be provided 
through cooperation among practitioners who must share (and often communicate 
about) a patient’s medical information. As our nation has moved increasingly toward 
a system of integrated care and computerized transactions, the free flow of medical 
information becomes even more critical. Accurate, readily available health informa- 
tion is vital to determining the best course of treatment for a patient, and that is 
clearly its central and most important use. 

Also critical is the use of such information to help ensure that basic insurance 
functions are carried out, such as paying claims and preventing fraud and abuse. 


^MEDICARE: HCFA Needs to Better Protect Beneficiaries Confidential Health Information 
(GAO/T-HEH— 99-172, July 20, 1999). 
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Finally, health information is used for many other purposes: to assure health care 
quality, to help measure health outcomes, and to ensure that patients receive pre- 
ventive services, to name only a few. Proposed state and federal confidentiality laws 
generally contain rules affecting health insurers’ and health plans’ claims adminis- 
tration, enrollment and disenrollment processes, payment and remittance proce- 
dures, referrals and authorization certifications, quality improvement and research 
activities, and other areas. As such, they can have a significant impact on day-to- 
day business operations. Therefore, it is critical that balanced, responsible federal 
legislation be enacted that provides strong protections for consumers while not plac- 
ing undue regulatory burdens on the private health care system. 

In May 1999, the HIAA Board of Directors adopted formal policy supporting the 
enactment of federal confidentiality legislation that contains several important prin- 
ciples: 

• Federal standards for confidentiality of patient health information. 

As noted above, federal standards ensuring the confidentiality of patient health 
information are critical to guaranteeing uniform and consistent treatment of such 
information throughout the country. Congress took important steps in the right di- 
rection with HIPAA by requiring standardized electronic transmission of health care 
information with appropriate security protections. HIAA believes strongly that a 
uniform standard is the only way to avoid a dual-regulatory environment for med- 
ical records. State authority should remain paramount over areas of confidentiality 
that do not conflict with national uniformity and consistency, such as state report- 
ing requirements for public health and safety dangers. 

• Strong and consistent confidentiality protections for all individually identifiable 
patient health information. 

HIAA believes that all sensitive, personal health information should be kept con- 
fidential. Certain types of health information or information about illnesses should 
not be singled out legislatively for stronger protection, or weaker protections. 

• Facilitate appropriate use of patient health information and recognize that ac- 
cess to health information is helpful to patients and often critical to providing qual- 
ity care. 

Today, most health care services are delivered through some form of coordinated 
or organized system of delivery. As health plans, providers, hospitals, purchasers, 
and others in the health care industry continue to design and enter into innovative 
health care delivery arrangements, it is important to recognize that appropriate in- 
formation sharing and use must occur within that system to ensure patients receive 
appropriate health care. The trend toward the coordinated delivery of care provides 
greater opportunities to protect confidential patient health information, and to en- 
sure such information is used appropriately to benefit consumers. Such coordinated 
systems enable improved tracking of an individual’s health information to better 
monitor appropriate access to and uses of such information. 

• Do not impede public and private sector efforts to combat health care waste, 
fraud, and abuse. 

Patient medical information is important to anti-fraud activities carried out both 
by the state and federal governments, and by insurers. A 1999 audit by the HHS 
Office of the Inspector General found that Medicare made improper payments of 
over $12 billion in fiscal year 1998 alone, and the General Accounting Office has 
estimated that health care fraud accounts for up to 10 percent of national health 
care spending each year. 

Insurance information and patient information are the vehicles through which 
health care fraud is committed. Providers cannot falsify claims and medical equip- 
ment suppliers cannot submit inflated bills without access to patient information. 
At the same time, this information is critical to combating fraud, as investigators 
must depend heavily upon the use of medical records to document fraud cases. This 
does not necessarily mean that individually identifiable patient information must be 
publicly disclosed in order to successfully investigate and prosecute fraud. But it 
does mean that fraud investigators in both the public and private sectors must con- 
tinue to have access to such information. Thus, when developing federal legislation 
for confidentiality of health information. Congress should be mindful that overly 
prescriptive privacy protections might adversely affect health care fraud enforce- 
ment and ultimately be detrimental to consumers. 

• Provide fair penalties as a strong deterrent to misuse of individually identifiable 
health information, rather than imposing process-oriented regulatory requirements. 

HIAA believes that strong administrative penalties should be put in place for 
those who inappropriately use or disclose sensitive, individually identifiable health 
information. New penalties should not be authorized for administrative mistakes or 
errors, but only for material violations that lead to demonstrated harm to con- 
sumers. 
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Statement of Sue A. Blevins, President, Institute for Health Freedom 

Chairman Thomas and members of the Ways and Means Subcommittee on 
Health: 

Thank you for holding the important hearing on July 20, 1999 to discuss confiden- 
tiality of health information. My name is Sue Blevins. I am founder and president 
of the Institute for Health Freedom (IHF), a nonpartisan, nonprofit research center 
dedicated to promoting individual freedom to choose health care. 

For nearly three years, Congressional leaders have known that they must pass 
a medical privacy law by August 21, 1999 or the Clinton Administration will be 
handed the authority to regulate Americans’ medical privacy. The Health Insurance 
Portability and Accountability Act of 1996 mandates that if Congress fails to act by 
the August 21 deadline, then regulations governing medical privacy must be pro- 
mulgated by February 2000. The regulations will affect millions of individuals 
across the nation, including patients, doctors, law enforcement officials, health in- 
surers, researchers, and government agencies. 

Current proposals claiming to make medical information as “non-identifiable as 
possible” are no guarantee for true medical privacy. Can such vague legislation real- 
ly guarantee that researchers won’t be able to trace back patients’ personal informa- 
tion — including genetic and cellular information? With efforts to double the current 
$15 billion federal budget for biomedical research, it is apparent that scientists are 
going to need more data to complete research projects. But government has no right 
to allow researchers access to private-pa 3 dng patients’ medical information without 
first obtaining their consent. 

The Clinton Administration recently announced that its National Bioethics Advi- 
sory Commission (NBAC) completed a review of the ethical and medical consider- 
ations associated with human stem cell research. The Administration reports that 
it “recognizes that human stem cell technology’s potential medical benefits are com- 
pelling and worthy of pursuit, so long as the research is conducted according to the 
highest ethical standards. NIH is putting in place guidelines and an oversight sys- 
tem that will ensure that the cells are obtained in an ethically sound manner.” 

The Institute for Health Freedom urges Congress, the Clinton Administration, 
and the NIH to maintain and enforce strong informed consent principles. Research 
without consent is unethical. 


Statement of LPA, Inc. 

Mr. Chairman and Members of the Subcommittee: 

Thank you for allowing us to present our views to your Subcommittee regarding 
medical privacy legislation. LPA, Inc., formerly the Labor Policy Association, is a 
public policy advocacy organization representing senior human resource executives 
of more than 250 of the largest corporations doing business in the United States. 
LPA’s purpose is to ensure that U.S. employment policy supports the competitive 
goals of its member companies and their employees. LPA member companies employ 
more than 12 million employees, or 12 percent of the private sector workforce. 

While there are numerous issues in the medical privacy area where we share the 
concerns of others within the business community, LPA’s primary concern deals 
with the ability of employers to make critical human resource decisions that serve 
the interests of employees and the public at large. The principle at stake is whether 
employers, primarily through fitness-for-duty testing and drug testing, may ensure 
that employees are not only capable of performing the functions of their position but 
also that, in doing so, they do not pose a threat to themselves, their co-employees, 
or the public at large. This concern goes well beyond the bottom-line interests of 
the employer. 

Moreover, we urge the Subcommittee not to overlook the substantial protections 
that already exist under current law to ensure that employers do not abuse this re- 
sponsibility. First and foremost, almost ten years ago, the Congress enacted sweep- 
ing legislation — the Americans With Disabilities Act (ADA) — that establishes sub- 
stantial protections for employees regarding employment decisions based on their 
physical and mental capabilities. As part of those protections, the law imposes care- 
fully crafted restrictions on what employers can ask and how they can use medical 
information about applicants and employees. 



105 


Mr. Chairman, we appreciate the work your staff has done to learn about these 
issues as it drafted your version of medical privacy legislation. We look forward to 
working with them further to ensure that final legislation allows employers to meet 
their obligations to employees and others under current labor and employment laws. 

The Executive Branch has not been as responsive. In her September 1996 testi- 
mony before Congress, Secretary of Health and Human Services Donna Shalala 
spoke at great length about the need for specific and far-reaching protections for the 
personal health information of patients. However, the Secretary’s testimony gave far 
less attention to the very legitimate need of employers for health information for 
the purposes of ensuring a safe and efficient workplace and complying with existing 
law. 

Under legislation previously introduced in the House — H.R. 1057 and S. 573, the 
“Medical Information Privacy and Security Act,” H.R. 1941, the “Health Information 
Privacy Act,” H.R. 2404, the “Personal Medical Information Protection Act of 1999,” 
and H.R. 2470, the “Medical Information Protection and Research Enhancement Act 
of 1999” — and in the Senate — S. 578, the “Health Care Personal Information and 
Nondisclosure Act of 1999” and S. 881, the “Medical Information Protection Act of 
1999” — the impact on these restrictions would be, at best, unclear. At worst, the 
careful balance in the ADA between the individual employee’s interests and those 
of his or her co-employees, the employer and the public would be completely under- 
mined. A similar analysis applies to drug testing which, in many instances, employ- 
ers are required or encouraged to perform by law. 

Since these employer activities have never been the focus of the medical privacy 
debate, we do not believe the supporters of medical privacy legislation would intend 
to disrupt them. Instead, it is our sense that, in the rush to enact legislation by 
the August 1999 deadline, the Congress is still gathering information about all the 
various endeavors that could be affected, and this is an impact that has not been 
fully considered. Indeed, after raising these concerns with the Senate Committee on 
Health, Education, Labor and Pensions, the medical privacy legislation currently 
under consideration by the Committee now protects these employer activities. 

Therefore, it is our purpose today to provide you with the necessary information 
to assist you in crafting legislation that does not pose a threat to the ability of em- 
ployers to protect their own employees as well as the public at large. 

Drug and Fitness for Duty Tests 

Many jobs require certain levels of physical and/or mental competencies. Fitness 
for duty examinations allow employers to determine whether an individual can per- 
form the essential functions of the job and, if they are not able to because of a dis- 
ability, whether a reasonable accommodation can be made to enable them to per- 
form those functions. 

The Equal Employment Opportunity Commission, in its January 1992 “Technical 
Assistance Manual on the Employment Provisions (Title I) of the Americans With 
Disabilities Act,” provides several examples of fitness tests, all of which are con- 
sistent with the ADA’s protections: 

• ensuring that “prospective construction crane operators do not have disabilities 
such as uncontrolled seizures that would pose a significant risk to other workers;” 

• testing of workers in certain health care jobs “to ensure they do not have a cur- 
rent contagious disease or infection that would pose a significant risk of trans- 
mission to others;” and 

• ensuring that an individual considered for a position operating power saws or 
other dangerous equipment is not someone “disabled by narcolepsy who frequently 
and unexpectedly loses consciousness.” 

In addition to fitness for duty tests, many employers implement drug testing of 
prospective and current employees. Workplace drug testing, as part of a drug-free 
workplace policy, has proven extremely effective in reducing work-related accidents. 
In the 1980s, many companies implemented these programs and began experiencing 
immediate positive results in their health and safety records. Many of these were 
described in a 1989 study by the Employment Policy Foundation entitled “Winning 
the War on Drugs: The Role of Workplace Testing”: 

• Southern Pacific Transportation Co. first implemented its drug testing program 
in 1984. According to the company, personal injuries per 200,00(1 employee hours 
worked dropped from 15.6 in 1983 to 6.5 in 1988. Train accidents attributable to 
human failure dropped from 911 incidents in 1983 to 96 in 1988. 

• Pacific Gas and Electric Co. enjoyed a 25% reduction in accidents and a 40% 
decrease in serious injuries after it implemented its pre-employment screening pro- 
gram, designed to alert the company to drug-using job applicants. 
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• Illinois Bell reported saving $459,000 in reduced absences, accidents and med- 
ical disability resulting from a rehabilitation program in which drug-using employ- 
ees were enrolled. 

Because of the success of programs like these, testing in some industries is now 
even required by law, such as the mandatory drug testing programs for commercial 
drivers required by the Omnibus Transportation Employee Testing Act of 1991. 
Even where drug testing is not required, it is often encouraged. Thus, the Drug-Free 
Workplace Act of 1988 requires all federal contractors with contracts of at least 
$25,000 to certify that they are providing a drug-free workplace, at the risk of con- 
tract debarment if they fail to do so. Many contractors are able to provide this cer- 
tification as a result of their drug testing programs. 

Application of Pending Legislation 

None of the bills introduced so far in the 106th Congress contain specific provi- 
sions dealing with fitness for duty tests or drug testing. However, it seems clear 
that the broad definitions of “protected health information” (PHI) under the various 
bills would encompass the data obtained from those tests, since PHI includes all in- 
formation that relates to the “past, present or future physical or mental health or 
condition of an individual” that is “created or received by,” among others, an em- 
ployer. 

The bills require that employers obtain a separate authorization from an em- 
ployee before receiving such protected health information. If the employee refuses 
to provide the authorization, the employer is forbidden from viewing the results of 
those tests. This is specifically stated in Section 203 of H.R. 1057 and S. 573 which 
provides that an employer, health plan, health or life insurers, or providers “may 
not disclose protected health information to any employees or agents who are re- 
sponsible for making employment, work assignment, or other personnel decisions 
with respect to the subject of the information without a separate authorization per- 
mitting such disclosure.” Section 103 of H.R. 1941 provides that employers may not 
require an authorization of disclosure of protected health information as a condition 
of providing or pa3dng for health care. 

The requirement for an authorization in these instances is, of itself, not problem- 
atic, as long as the employer may take appropriate action where the employee or 
applicant fails to provide the authorization. Thus, if a job applicant takes a manda- 
tory fitness for duty test, but refuses to authorize disclosure of the results to the 
employer, the employer should be able to refuse to hire the individual on that basis, 
or else the test is no longer mandatory. 

Two of the bills — H.R. 1057 and S. 573 — generally require employers to provide 
written notice to their employees of, among other things: “The right of an individual 
not to have employment or the receipt of services conditioned upon the execution 
by the individual of an authorization for disclosure.” This is the only place in the 
bills where this right is mentioned, but if the bills do indeed create such a right 
and become law, then an employer would violate the law by refusing to hire an indi- 
vidual who failed to authorize the release of the results of a drug or fitness for duty 
test. 

We believe that Congress has no inclination to prevent employer practices de- 
signed to protect the health and safety interests of their employees and the public, 
particularly in view of the history of strong congressional support for drug testing 
programs. Thus, we strongly urge this Subcommittee to clarify any medical privacy 
legislation that it considers to ensure that mandatory fitness and drug testing can 
continue to exist. 

Relationship of Legislation to Existing Laws 

A broader unintended problem is the failure to contemplate the interaction with 
other laws which may not comprehensively regulate disclosure of individual medical 
information, but where that information is implicated in the compliance with those 
laws. In particular, the ability of employers to comply with both the Americans with 
Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA) could be sub- 
stantially impaired. 

Americans with Disabilities Act. Under the Americans with Disabilities Act, em- 
ployers are already substantially regulated as to when they can require medical 
exams of, or request medical information from individuals; what they can examine 
or ask them for; and what employment decisions are permissible once medical infor- 
mation concerning the individual is acquired. An employer is generally prohibited 
from discriminating against a “qualified individual with a disability,” which means 
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a disabled individual who can perform the “essential functions of the job” with or 
without a “reasonable accommodation.” 

The ADA rightfully recognizes that the employer must have access to a certain 
amount of medical information about employees and prospective employees. Under 
Section 102 of the ADA, employers have the right to require a medical examination 
after an offer of employment has been made and prior to the commencement of em- 
ployment. If, during the medical examination, the doctor discovers a condition that 
may affect the person’s ability to do the job, the employer still must go through the 
“reasonable accommodation process” to determine whether the individual could do 
the essential functions of the joh with reasonable accommodation. Once the indi- 
vidual has been hired, the employer may not require medical examinations unless 
they are “job-related and consistent with business necessity.” 

Meanwhile, the ADA limits the amount of medical information that can be ob- 
tained during employment to that information which is job-related and consistent 
with business necessity. Strict confidentiality requirements apply to the informa- 
tion. During the hiring process, the employer may share medical information only 
with decision makers with a “need to know” the information. Even an employee’s 
supervisor and manager are not entitled to any medical information beyond what 
limitations the employee has to do the particular job. Thus, the ADA already pro- 
tects against any improper use of critical medical data by the employer. 

Yet, the data obtained consistent with ADA requirements would clearly constitute 
protected health information under legislation introduced so far. Thus, even though 
the employer would have a right to access the data under the ADA, a new author- 
ization requirement would be superimposed and employers could be forbidden from 
viewing the results of medical exams taken to detect or confirm the existence of a 
disability that could affect the ability of an employee to do his or her job com- 
petently and safely. While H.R. 1941 provides explicitly that it shall not preempt 
the Americans with Disabilities Act, the disclosure requirements in the bill make 
compliance with the ADA potentially problematic. 

Family and Medical Leave Act. Under the Family and Medical Leave Act (FMLA), 
employees are guaranteed a right to up to twelve weeks of leave annually for a seri- 
ous medical condition. Under Section 103 of the FMLA, employees who wish to use 
FMLA medical leave can be required by their employer to provide a certification 
issued by a health care provider that discloses, in part: 

• the date on which the employee’s “serious medical condition” began; 

• the probable duration of the condition; 

• the “appropriate medical facts within the knowledge of the health care provider” 
regarding the condition; and 

• a statement that the employee is unable to “perform the functions of the posi- 
tion.” 

Clearly, most or all of the information contained in the medical certification would 
meet the definition of protected health information under all the proposed bills, and 
would therefore be covered by the requirements of those bills. Thus, for the em- 
ployer to receive the certification, the employee would have to provide the requisite 
authorization. Since the employer may, under the FMLA, deny leave for an alleged 
serious medical condition where no certification is provided, could an employee 
argue that his or her consent was coerced in this situation and thus not valid? This 
issue must be clarified in the legislation. 

Conclusion 

In conclusion, we believe it is extremely important that any legislation crafted by 
your Subcommittee in this area recognize the critical role played by medical infor- 
mation in enabling employers to provide necessary protections to their employees 
as well as the general public. These protections are provided within a framework 
of existing laws that were carefully crafted to achieve a balance between the com- 
peting interests of the individual employee, his or her co-employees, the employer 
and the public. A dismantling of this framework, whether intended or not, would 
be disastrous. 


Statement of National Association of Health Underwriters, Arlington, VA 

The National Association of Health Underwriters is an association of insurance 
professionals involved in the sale and service of health insurance, long-term care in- 
surance, and related products, serving the insurance needs of over 100 million 
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Americans. We have almost 16,000 members around the country. We appreciate this 
opportunity to present our comments regarding confidentiality of health informa- 
tion. 

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 
1996 (HIPAA), called for Congress to pass legislation to protect the confidentiality 
of patient medical records no later than August 1, 1999. Should Congress fail to act, 
HIPAA requires the Department of Health and Human Services to write regulations 
by February 2000. While there is general agreement on the need for such legisla- 
tion, it is clear that absolute confidentiality may be unobtainable, and that a bal- 
ance must be achieved between a person’s reasonable desire and expectation of con- 
fidentiality, and a payer’s right and duty to know what they are paying for. 

Technological advances have vastly improved the ability of providers to track pa- 
tient care and outcomes, develop disease management programs, and exchange in- 
formation with other providers to improve patient care. These same advances have 
enabled payers and providers to exchange information quickly to improve the speed 
and accuracy of claims payment. These technological advances combined with new 
medical advances in the treatment, and prevention of disease have changed and im- 
proved the way medical care is delivered in the United States. When these changes 
are combined with a now highly mobile society, it becomes clear that the picture 
of a person’s medical records being stored only in the family physician’s locked filing 
cabinet is a thing of the past. 

In spite of these changes, NAHU believes that individuals should have an expec- 
tation of confidentiality with respect to their personal health information and 
records. A patient who is fearful that his or her medical records might be disclosed 
without authorization to a third party may withhold medical information, give false 
information, or simply not seek treatment for his or her medical condition, resulting 
in a lack of proper medical treatment, the wrong treatment or no treatment at all. 

NAHU believes that individuals have certain rights with respect to their medical 
records. Individuals should be able to inspect or copy their medical records, to re- 
quest an amendment to their medical records, and to have a written copy of any 
disagreement they have with the content of their medical records be listed as a per- 
manent part of their medical file, if their request for amendment is denied. 

Health plans, health care providers, public health agencies, researchers, schools, 
and others who must collect certain medical information should retain on file an au- 
thorization for the release of medical information. This authorization allows disclo- 
sure of only the medical information necessary to accomplish the purpose for which 
it is disclosed. 

Some groups have called for specialized confidentiality standards on certain “spe- 
cially protected” portions of a person’s medical records, such as information on ge- 
netic testing, mental health history, or HIV status. NAHU is opposed to this separa- 
tion of records for two reasons. First, this approach focuses attention away from the 
importance of protecting the entire medical record. It is important to note that dif- 
ferent individuals have differing ideas about which parts of their medical records 
are most sensitive. One person may be most sensitive about the results of a genetic 
test, while another may be concerned about a record of cosmetic surgery. It is impos- 
sible for us to know what each person would choose to keep in a “super secret” file, 
if they had the choice. 

Our second concern relates to the practical aspect of keeping two sets of files. For 
NAHU’s members, for example, copies of applications are retained for individuals 
as well as employer groups that apply for coverage. On small employer plans, indi- 
vidual employees also complete medical questionnaires. So agents may actually have 
these records on each of 50 employees for each of the employer groups they service, 
in addition to those of all of the individuals who apply for coverage. Depending on 
what Congress decided would be kept in which file, not only would our members 
have to duplicate each file, but they would have to re-screen each application and 
block out information which could not be retained in the standard file. This merely 
describes the process for insurance agents, which handle the initial paperwork on 
an insurance application. Insurance companies would be required to do the same 
thing. Doctors would have to complete two different medical records, and shift back 
and forth between both records. All other providers would be required to do the 
same thing. Not only would the chance for errors in the delivery of medical care 
increase dramatically, it would greatly increase the cost of delivery of health care. 
For these reasons, NAHU cannot support a confidentiality proposal that calls for 
dual record keeping and disclosure requirements. 

Thirty-four states currently have some form of confidentiality standards that have 
been enacted at the state level. Secretary Shalala and some others have suggested 
that new federal standards should be a “floor,” allowing the states to adopt more 
stringent standards. Many others believe that the interstate way medical care is de- 
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livered in today’s society, the cost implications of fifty separate sets of standards, 
and the potential confusion for providers and payers, especially those which operate 
on or near state lines, call for a uniform system nationwide. Confidentiality stand- 
ards are different from insurance regulations, in that they impact doctors, labs, clin- 
ics, hospitals, ambulatory facilities, nursing homes, researchers, and law enforce- 
ment officials, in addition to insurance companies, insurance agents, HMOs, and 
other health plans. In order to truly protect patients, it is important to be absolutely 
certain that there is no misunderstanding as to the provisions of new confidentiality 
standards. NAHU believes that a uniform national system would be more easily un- 
derstood by patients, providers, and payers, and that a single uniform system would 
be more cost effective. NAHU supports state enforcement authority of these uniform 
standards. 

NAHU has serious concerns about initiatives that would call for a private right 
of action for breaches of confidentiality. Particularly if state laws are not preempted, 
the complexities of confidentiality legislation, and the different rules in states that 
already exist for different types of medical information greatly enhance the oppor- 
tunity for accidental non-compliance. Legal action is expensive, and the cost will di- 
rectly affect the cost of health care plans and the premiums people pay for their 
insurance. If plans become unaffordable, the ranks of the uninsured will increase. 

NAHU recognizes that, while medical researchers may generally not require indi- 
vidually identifiable health information, there have been many occasions where it 
served the public health interest to be able to access individual information, for ex- 
ample, when discoveries have been made relative to dangers associated with certain 
medications. NAHU believes that researchers subject to peer review should continue 
to have the opportunity to advise participants in clinical trials or their physicians 
of these types of negative findings. 

Finally, NAHU acknowledges that law enforcement may have a legitimate use for 
medical records where an authorization for disclosure has not been made, for exam- 
ple, in the lawful interest of public safety when investigating a felony. NAHU be- 
lieves, however, that these uses should be the exception and not the rule, and that 
specific requirements for their use should be laid out in legislation, to ensure only 
appropriate release of information. 

NAHU believes that the American consumer will benefit greatly from reasonable 
and understandable standards for the protection of the confidentiality of medical 
records. These important protections will make for a healthier America by restoring 
confidence and trust in the confidentiality of the patient/provider relationship. 
NAHU looks forward to working with Congress on the passage and implementation 
of this very important legislation. 

We thank you for this opportunity to present testimony to the committee. Should 
you have any questions, please contact NAHU’s Director of Federal Policy Analysis, 
Janet Trautwein at (703) 276-3S06, jtrautwein@nahu.org. 


Statement of National Association of Insurance Commissioners, Special 
Committee on Health Insurance 

I. Introduction 

This testimony is submitted by the National Association of Insurance Commis- 
sioners’ (NAIC) (EX) Special Committee on Health Insurance. The NAIC requests 
that this written testimony be submitted as part of the record for the hearing on 
“Confidentiality of Health Information” held by the Health Subcommittee of the 
House Ways and Means Committee. 

The NAIC, founded in 1871, is the organization of the chief insurance regulators 
from the 50 states, the District of Columbia, and four of the U.S. territories. The 
NAIC’s objective is to serve the public by assisting state insurance regulators in ful- 
filling their regulatory responsibilities. Protection of consumers is the fundamental 
purpose of insurance regulation. 

The NAIC Special Committee on Health Insurance (“Special Committee”) is com- 
prised of 46 state insurance regulators. The Special Committee was established as 
a forum to discuss federal proposals related to health insurance and to provide tech- 
nical assistance to Congress and the Administration on a nonpartisan basis. 

Our testimony focuses on four aspects of the preemption issue raised by the cur- 
rent federal health information privacy legislation. First, we will discuss the states’ 
recognition of the desire for a minimum standard to protect the privacy of health 
information. Second, we will give some examples of what the states have done to 
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ensure that health information is kept confidential, and discuss the concerns we 
have about the preemption language in the proposed federal legislation and how 
Congress can develop a minimum standard without eliminating existing state pro- 
tections. Third, we will address the need for Congress to clarify the scope of any 
federal health information privacy legislation and to develop a way for states to 
measure their laws against any federal standard for compliance. Finally, we will 
discuss the enforcement of privacy laws, which may seem to go beyond the issue 
of preemption, but actually gets to the heart of whether Congress should adopt a 
floor in this area or completely preempt the states. 

II. Recognizing the Desire for a Federal Minimum Standard 

As required by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), Congress must enact privacy legislation by August 21, 1999. Should Con- 
gress fail to act, HIPAA requires the Secretary of Health and Human Services to 
promulgate regulations by February 2000. 

The states, acting through the NAIC, understand the desire for minimum stand- 
ards to protect the privacy of health information. A minimum standard in this area 
is considered necessary given that health information is transmitted across state 
and national boundaries. The transmission of health information, as opposed to the 
delivery of health care services, is not a local activity. This was one of our main 
reasons for developing a model on this issue — The Health Information Privacy 
Model Act (attached). 

The NAIC adopted the Health Information Privacy Model Act in September 1998.^ 
This model addresses many of the same issues that the federal legislation does, such 
as: (1) providing an individual the right to access and to amend the individual’s pro- 
tected health information; (2) requiring an entity to obtain an authorization from 
the individual to collect, use or disclose information; and (3) establishing exceptions 
to the authorization requirement. Our model was developed to assist the states in 
drafting uniform standards for ensuring the privacy of health information.^ How- 
ever, because our jurisdiction is limited to insurance, and health information privacy 
encompasses more issues than insurance and more entities than insurers, we under- 
stand the desire for broader federal legislation.^ 

Recognizing all of the above factors, along with the fact that all of the health in- 
formation privacy bills currently before Congress preempt state law in one fashion 
or another, the members of the NAIC have concluded that the privacy of health in- 


^This model was developed with state regulators, representatives of the insurance and man- 
aged care industries, and representatives from the provider and consumer communities. The 
NAIC model reflects the excellent work that has been done by a number of states on this dif- 
ficult topic. The NAIC recognized the need to update the provisions of its existing “NAIC Insur- 
ance Information and Privacy Protection Model Act,” which was adopted by the NAIC in 1980, 
to reflect the rapidly evolving marketplace for health care and health insurance and the dra- 
matic changes that have occurred over the past 19 years in information technology. 

2 The NAIC model requires carriers to establish procedures for the treatment of all health in- 
formation, whether or not it is protected health information. The model then establishes addi- 
tional rules for protected health information. In contrast, the federal bills require that named 
entities establish and maintain safeguards to protect the confidentiality of protected health in- 
formation, which is more limited. The NAIC believes that Congress should establish procedures 
to assure the accuracy and integrity of all health information, not just protected health informa- 
tion. 

^The most obvious difference between the NAIC model and the federal bills is in the scope 
of the entities to which the respective proposals would apply. The NAIC model applies to all 
insurance carriers. The federal bills are much broader and apply to health care providers, health 
plans, public health authorities, health oversight agencies, health researchers, health or life in- 
surers, employers, schools, universities, law enforcement officials, and agents. Different sections 
of the federal bills apply to different combinations of these named entities. However, we are con- 
cerned that the federal bills only apply to health and life insurers and not to all insurers. 

With respect to insurers, we recommend the approach of the NAIC model, which applies to 
all insurance carriers and is not limited to health and life insurers. The NAIC had an extensive 
public discussion about whether the NAIC model should apply only to health insurance carriers, 
or instead, to all carriers. Health and life insurance carriers are not the only types of carriers 
that use health information to transact their business. Health information is often essential to 
property and casualty insurers in settling workers’ compensation claims and automobile claims 
involving personal injury, for example. Reinsurers also use protected health information to write 
reinsurance. The NAIC concluded that it was illogical to apply one set of rules to health insur- 
ance carriers but different rules, or no rules, to other carriers that were using the same type 
of information. Consumers deserve the same protection with respect to their health information, 
regardless of the entity using it. Nor is it equitable to subject life and health insurance carriers 
to more stringent rules than those applied to other insurers. Our model applies to all insurance 
carriers and establishes uniform rules to the greatest extent possible. 



Ill 


formation is one of the few areas where it may be appropriate for the federal gov- 
ernment to set a minimum standard. However, it should be noted that up until this 
point there has been no federal standard in place. Rather, states have been the pro- 
tector of consumers in this area. Any federal legislation must recognize this fact and 
make allowances for it. 


III. Preemption 


A. Existing State Laws 

As this Subcommittee is well aware, the drafting of legislation to establish stand- 
ards that protect the privacy rights of individuals with respect to highly personal 
health information is a very difficult task. Like you, the members of the NAIC 
sought to write standards into the NAIC Model that would not cripple the flow of 
useful information, that would not impose prohibitive costs on entities affected by 
the legislation, and that would not prove impossible to implement in a world that 
is rapidly changing from paper to electronic records. At the same time, the members 
of the NAIC recognized the need to assure consumers that their health information 
is used only for the legitimate purposes for which it was obtained, and that this in- 
formation is not disclosed without the consumer’s consent or knowledge for purposes 
that may harm or offend the individual. 

When developing protections for health information, Congress must recognize the 
impact of any federal privacy legislation on existing federal and state laws. Al- 
though we cannot fully address the impact on federal law, we do know that many 
state laws touch on protected health information and appear in many locations 
within the states’ statutes and regulations. These laws do not neatly fit into a fed- 
eral bill’s list of exceptions. For example, privacy laws can be found in the insurance 
code, probate code, and the code of civil procedure. Numerous privacy laws relating 
to health information are also contained in the states’ public health laws, which ad- 
dress such topics as child immunization, laboratory testing, and the licensure of 
health professionals. Other potential areas involve workers compensation laws, 
automobile insurance laws, and laws regulating state agencies and institutions. In 
addition, many state privacy laws only address health programs or health-related 
information that are unique to a particular state. 

Let us give you some examples of the existing state laws that protect health infor- 
mation. 

California 

California’s Business and Professions Code provides protections for health infor- 
mation used in telemedicine, which is the practice of health care delivery, diagnosis, 
consultation, treatment, transfer of medical data and education using interactive 
audio, video or data communications (Cal. Bus. & Prof.. Code § 2290.5). These pro- 
tections are in addition to other existing confidentiality protections provided by law, 
including the “Confidentiality of Medical Information” statute in California’s Civil 
Code (Cal. Civ. Code § 56 et seq.). Under the telemedicine law, the health care prac- 
titioner must obtain verbal and written informed consent from the patient prior to 
the delivery of health care via telemedicine. The individual retains the option to 
withhold or withdraw consent at any time without affecting the right to future care 
or treatment or without risking the loss or withdrawal of any program benefits to 
which the individual would otherwise be entitled. The patient is guaranteed access 
to all medical information transmitted during a telemedicine consultation, and cop- 
ies of this information are available for a reasonable fee. Dissemination of any pa- 
tient-identifiable images or information from the telemedicine interaction to re- 
searchers or other entities is prohibited without the consent of the patient. This 
statute provides only three exceptions to the requirement of patient consent for dis- 
closure of health information: (1) when a patient is not directly involved in the tele- 
medicine interaction, such as when one health care practitioner consults with an- 
other health care practitioner; (2) in an emergency situation in which a patient or 
representative is unable to give informed consent; and (3) to a patient under the 
jurisdiction of the Department of Corrections. 

California’s telemedicine statute could arguably be preempted by federal legisla- 
tion that uses a total preemption approach. This statute is one example of states 
responding to changes in technolo^ and addressing issues beyond those addressed 
in any of the federal bills. California not only protects the confidentiality of medical 
records but it protects health information in telemedicine. The telemedicine statute 
also requires consent for disclosing health information and has far fewer exceptions 
for disclosure without consent than any of the federal bills. The state law also guar- 
antees patients the right to access all medical information without exception, where- 
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as the federal bills have exceptions to patient access. Finally, the state law allows 
the patient to revoke consent at any time without affecting the right to future care 
or program benefits; however, this right is not included in the federal legislation. 
If a federal privacy bill using a total preemption approach is enacted, California’s 
telemedicine protections, which are stronger than those in the pending federal legis- 
lation, would arguably be preempted. 

Connecticut 

Connecticut has already enacted a privacy protection law for insurance informa- 
tion. (Conn. Gen. Stat. 38a-975 et seq.). This law applies to insurance institutions, 
agents and insurance-support organizations, and it protects health information that 
is collected, received or maintained in connection with insurance transactions that 
pertain to individuals who are residents of the state or who engage in insurance 
transactions with applicants, individuals or policyholders who are residents of the 
state. It also applies to insurance transactions involving policies, contracts or certifi- 
cates of insurance delivered, issued for delivery, or renewed in the state. This law 
applies to life, health, disability, and property and casualty insurance, and therefore 
to issuers of these products. This state law would be preempted under a federal bill 
that used a total preemption approach. Arguably any health information held by life 
or health insurers may still be protected under the federal legislation; however, 
health information held by disability or property and casualty insurers, which is 
currently protected under this state law, would become unprotected under the cur- 
rent federal legislation. Without the opportunity for the state to implement its own 
laws to address these types of insurers, the health information they hold would be 
vulnerable to potential misuse or disclosure by those who hold it. In addition, if the 
federal standard were to fall short of Connecticut law in some way, the level of pro- 
tection for information held by life and health insurers would be diminished. 

Florida 

Florida’s Civil Rights law requires confidentiality and informed consent for genetic 
testing. (Fla. Stat. Ann. § 760.40). The law provides that except for purposes of 
criminal prosecution, determining paternity, or acquiring specimens from persons 
convicted of certain offenses, DNA analysis may be performed only with the in- 
formed consent of the person to be tested, and the results of such DNA analysis, 
whether held by a public or private entity, are the exclusive property of the person 
tested, are confidential, and may not be disclosed without the consent of the person 
tested. This law arguably would be preempted by a total preemption approach that 
uses the “related to” standard. Civil rights laws and genetic testing laws do not fall 
within any of the federal bills’ exceptions, so presumably DNA tests would be gov- 
erned by the provisions of federal bills. However, the federal legislation would argu- 
ably allow DNA test results and the identity of the individual to be disclosed with- 
out the individual’s authorization under some of the federal bills’ provisions, includ- 
ing the research provisions. 

Massachusetts 

Under Massachusetts’ education statutes, provisions are established for the test- 
ing, treatment and care of persons susceptible to genetically-linked diseases. (Mass. 
Ann. Laws ch.76, § 15B). The law requires the Department of Public Health to fur- 
nish necessary laboratory and testing facilities for a voluntary screening program 
for sickle cell anemia or for the sickle cell trait and for such genetically-linked dis- 
eases as may be determined by the Commissioner of Public Health. Records main- 
tained as part of any screening program must be kept confidential and will not be 
accessible to anyone other than the Commissioner of Public Health or to the local 
health department which is conducting the screening program, except by permission 
of the parents or guardian of any child or adolescent who has been screened. Infor- 
mation on the results of any particular screening program shall be limited to notifi- 
cation of the parent or guardian of the result if the person screened is under the 
age of 18 or to the person himself if he is over the age of 18. The results may be 
used otherwise only for collective statistical purposes. Again, this state program 
may be preempted by a federal privacy law because it does not fall under the federal 
bills’ preemption exceptions. Under the federal bills this health information would 
be at risk of disclosure without authorization under the public health or research 
provisions. 

Michigan 

Michigan’s Public Health Code mandates confidentiality of HIV testing and re- 
quires written, informed consent (Mich. Comp. Laws. § 333.5114, 333.5133). A phy- 
sician or the physician’s agent shall not order an HIV test for the purpose of diag- 
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nosing HIV infection without first receiving the written, informed consent of the test 
subject. Written, informed consent must contain at a minimum all of the following: 
(1) an explanation of the test, including the purpose of the test, the potential uses 
and limitations of the test, and the meaning of the test results; (2) an explanation 
of the rights of the test subject, including the right to withdraw consent prior to 
the administration of the test, the right to confidentiality of the test and the results, 
and the right to participate in the test on an anon3Tnous basis; and (3) the persons 
or class of persons to who the test results may be disclosed. In addition, an indi- 
vidual who undergoes an HIV test at a department-approved testing site may re- 
quest that the HIV test be performed on an anonymous basis. Staff shall administer 
the HIV test anonymously and shall obtain consent to the test using a coded system 
that does not link the individual’s identity with the request for the HIV test or the 
results. The Michigan law states that consent is not required for an HIV test per- 
formed for the purpose of research, if the test is performed in such a manner that 
the identity of the test subject is not revealed to the researcher and the test results 
are not made known to the test subject. This state law risks being preempted by 
the federal legislation depending on the preemption approach and the exceptions. 
If state public health laws are exempt from federal law, this state law could be left 
in place depending on how the federal legislation classifies public health laws. If 
state public health laws are not excepted, this state law would arguably be pre- 
empted by federal legislation that uses a total preemption approach, but tbe protec- 
tion the state law offers would not be replaced with a federal equivalent. Some of 
the federal bills would allow the identity of the individual to be disclosed without 
the individual’s consent under the public health or research provisions. 

Montana 

Under Montana’s laws governing health maintenance organizations, any data or 
information pertaining to the diagnosis, treatment, or health of an enrollee or appli- 
cant obtained from the enrollee, applicant or a provider by a health maintenance 
organization must be held in confidence and may not be disclosed to any person, 
except upon express consent of the enrollee or applicant, pursuant to statute or 
court order for the production of evidence or discovery, in the event of a claim or 
litigation between the enrollee or applicant and the health maintenance organiza- 
tion where in the data or information is pertinent, or to the extent necessary to 
carry out the purposes of this chapter. (Mont. Code Ann. § 33-31-113). The provi- 
sions of the state law would presumably be preempted by a total preemption ap- 
proach and would not be saved under any current exception in the federal bills. The 
state law prohibits disclosure except in a few limited cases, mostly pertaining to liti- 
gation, whereas the federal legislation would allow health maintenance organiza- 
tions (health plans) to disclose this protected information without authorization 
under many more instances. 

In addition, Montana just enacted a comprehensive medical records privacy bill 
targeted at insurers. This new law was modeled after the NAIC Health Information 
Privacy Model Act, and it builds upon Montana’s Insurance Information and Privacy 
Protection Act (Mont. Code Ann. § 33-19-101 et seq.), which is very similar to Con- 
necticut’s law (see above). The efforts and careful consideration of the state legisla- 
ture to adopt privacy legislation would be lost, if the federal privacy legislation pre- 
empts all state laws relating to confidentiality of health information. 

Ohio 

Under Ohio law, information collected by the Ohio Health Care Data Center must 
be kept confidential, and may only be released in aggregate statistical form. (Ohio 
Rev. Code Ann. § 3729.46(B)). The Director of Health, employees of the Department 
of Health including employees of the data center, and any person or governmental 
entity under contract with the director shall keep confidential any information col- 
lected that identifies an individual, including information pertaining to medical his- 
tory, genetic information, and medical or psychological diagnosis, prognosis, and 
treatment. Theses persons and entities shall not release such information without 
the individual’s consent, except in summary or statistical form with the prior writ- 
ten permission of the Director or as necessary for the Director to perform his duties. 
This state law would be preempted by a federal privacy law that totally preempted 
state law or did not include this type of law as an exception to federal preemption. 
The state law only allows release of information in summary form without identi- 
fication of the individual, but this same information risks being released as person- 
ally identifiable information under the federal legislation. The federal legislation 
would end up unprotecting this information that is currently protected under state 
law. 
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Vermont 

Vermont, like some other states, has a cancer registry. (18 V.S.A. §§164, 155, 
156). The Vermont statutes require the Vermont Health Commissioner to keep con- 
fidential all information reported to the cancer registry, with exceptions for the ex- 
change of confidential information with other states’ cancer registries, federal cancer 
control agencies and health researchers under specified conditions. The provisions 
of these state laws would arguably be preempted by a federal privacy law that to- 
tally preempted state law or did not include state cancer registry laws as an excep- 
tion to federal preemption. Presumably, a federal privacy law would allow the 
Vermont Health Commissioner to disclose protected health information in situations 
not authorized by the state’s statutes, but allowed to be disclosed without authoriza- 
tion under the federal bills’ public health or research provisions. 

These examples should not be construed as a definitive legal analysis of the rela- 
tionship between these state laws and the federal bills. The comments are not based 
on an extensive review of all relevant state laws that might affect the ultimate con- 
clusion about the interaction of the federal bills and the states’ laws. However, the 
range of state laws relating to protected health information, and the diversity of 
their purposes and of the entities that they affect, are critical factors for assessing 
the impact of any federal preemption language. 

B. The Best Approach to Developing a Federal Standard 

An argument will be made that the only solution to this collection of state privacy 
laws is a total preemption of state law. However, this “solution” is a deceptively 
easy response to the various state privacy laws and will most certainly result in ad- 
verse, unintended consequences. The language “any State law that relates to mat- 
ters covered by this Act” could preempt literally hundreds of state laws that affect 
protected health information.'^ Many state laws that are seemingly unrelated to 
health information on their face affect health information privacy and could be 
eliminated by a total preemption approach without any equivalent federal protec- 
tion. Health information or health-related information that is currently protected 
will end up unprotected, and states will not be able to remedy the problem or “re- 
protect” the information. We offer this perspective not to “protect our turf,” but rath- 
er as a caution against unintended consequences to the consumer. Because of the 
number and scope of the laws involved, our concerns are not limited to insurance 
law. We do not want Congress to reduce or eliminate any protections already in 
place. Preemption of state law is not a workable solution. 

We believe the best approach would be to set a federal standard that does not 
preempt state laws that have been protecting health information for so many years. 
Up until now, there has been no federal standard in place, and the states have been 
protecting consumers. We understand the desire to establish a federal floor in this 
area, but it is not appropriate to preempt stronger state laws or preempt state laws 
that are outside the scope of the federal privacy legislation. As discussed earlier, the 
states have enacted privacy protections for their citizens in a variety of areas. These 
citizens should not lose stronger protections for their health information or lose pro- 
tections granted by the states in areas not contemplated by the federal legislation. 

In addition, we believe that states should be allowed to enact stronger privacy 
protections in the future in response to innovation in technology and changes in the 
use of health information. We believe the best approach would balance the desire 
for uniformity with the recognition of the states’ ability to respond quickly and to 
provide additional protections to their citizens. States can quickly identify the im- 
pact of any federal privacy law or any changes in technology or in the use of health 
information and can efficiently remedy any adverse situation. We urge Congress not 
to take a “broad-brush” approach to preemption that would unintentionally take 
away protections at the state level, eliminate the states’ ability to remedy unin- 
tended consequences that result from federal privacy legislation, or prevent states 
from responding in the future. 


'^This language is very similar to the preemption language contained in the Employee Retire- 
ment Income Security Act of 1974 (ERISA), which states: “[T]he provisions of this title. ..shall 
supersede any and all State laws insofar as they may now or hereafter relate to any employee 
benefit plana....” (emphasis added). As this Committee is well aware, twenty-five years of litiga- 
tion and numerous Supreme Court decisions have yet to clarify the scope of the ERISA preemp- 
tion language. We would respectfully suggest that a “relate to” standard is not a good standard 
to adopt in federal legislation regulating the use of health information. Total preemption lan- 
guage will unintentionally erase important state laws but not provide equivalent federal protec- 
tions. This is the unfortunate situation that has occurred as the result of the preemption lan- 
guage contained in ERISA. 
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Since Congress is certain to set some type of federal standard, we offer the fol- 
lowing language as a suggestion of how federal privacy legislation may be drafted. 
This language sets a federal minimum standard that leaves in place existing state 
laws that are at least as protective as the federal legislation and allows states to 
enact stronger laws in the future. 

Nothing in this Act shall be construed as preempting, superseding, or repealing, 
explicitly or implicitly, any provision of State law or regulation currently in effect 
or enacted in the future that establishes, implements, or continues in effect any 
standard or requirement relating to the privacy of protected health information, if 
such state laws or regulations provide protections for the rights of individuals to the 
privacy of, and access to, their health information that are at least as protective of 
the privacy of protected health information as those protections provided for under 
this Act. Any state laws or regulations governing the privacy of health information 
or health-related information that are not contemplated by this Act, not addressed 
by this Act, or which do not directly conflict with this Act, shah not be preempted. 
Federal law shall not occupy the held of privacy protection. The appropriate federal 
authority shah promulgate regulations whereby states can measure their laws and 
regulations against the federal standard. 

We believe this language recognizes the desire for a federal standard while re- 
specting what the states have already done. 

IV. Scope of the Legislation 

In addition to adopting an approach that recognizes the privacy protections al- 
ready enacted by the states and that allows states the flexibility to enact stronger 
privacy laws in the future, we urge Congress to draft legislation that specifically 
outlines the areas that Congress intends to address. Congress needs to be very spe- 
cific about the scope of any federal privacy legislation. This is of particular concern 
since the current privacy legislation is silent on many issues affecting federal and 
state law. The scope should not be left ambiguous or left to the courts to decide. 
We believe it would be better for the protection of consumers’ health information 
if Congress would specify what is addressed by the federal legislation as opposed 
to attempting to list all of the state laws that are exempt from the federal legisla- 
tion. 

Ah of the current federal bills contain specific exceptions to the federal preemp- 
tion language for certain state laws. Reviewing all of the bills, these exceptions in- 
clude state laws that: (1) provide for the reporting of vital statistics such as birth 
or death information; (2) require the reporting of abuse or neglect information about 
any individual; (3) regulate the disclosure or reporting of information concerning an 
individual’s mental health; (4) relate to public or mental health and prevent or oth- 
erwise restrict disclosure of information otherwise permissible under the federal leg- 
islation; (5) govern a minor’s rights to access protected health information or health 
care services; (6) relate to the disclosure of protected health information or any 
other information about a minor to a parent or guardian of such minor; (7) authorize 
the collecting, analysis, or dissemination of information from an entity for the pur- 
pose of developing use, cost effectiveness, performance, or quality data; and (8) con- 
cern a privilege of a witness or person in state court. 

Although each of the exceptions is appropriate and the list represents a good start 
at enumerating the specific categories of state laws that should not be preempted, 
these specific exceptions to the preemption language do not alleviate our concerns. 
There are other state laws that do not fit into any of the explicit categories and that 
would therefore be preempted by the broad scope of the general preemption lan- 
guage. In addition, not all of these specified exceptions are included in each of the 
bills. We mention this to underscore the critical importance of clearly defining the 
scope of what the federal legislation is addressing and the applicability of any spe- 
cific privacy standard or exception. We believe it wiser and easier to define what 
types of health information and what state laws are within the scope of the federal 
legislation, rather than what types of health information and what state laws are 
outside of the scope of the federal legislation. 

In addition, we urge Congress to outline a way in the federal privacy legislation 
for the states to measure their laws against any federal standard and to provide 
options for states to meet those requirements. In HIPAA, Congress gave the states 
three options in meeting the requirements of that legislation. Similar guidelines are 
needed in the privacy legislation. States need to be able to judge whether their state 
laws are stronger than the federal law in order to determine whether they need to 
take further action to revise their laws. 
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V. Enforcement 

Finally, we strongly caution Congress against enacting legislation that would pre- 
empt state laws, because we have several concerns about the enforcement of any 
federal privacy law. First, while all of the federal bills include criminal and civil 
sanctions and some of the bills allow a private right of action, we are concerned 
about the level of penalties. All of the federal bills include criminal sanctions for 
those who “knowingly and intentionally” disclose protected health information; how- 
ever, under such a strict standard, it is unlikely that very many prosecutions will 
take place at the federal level. The federal bills also impose civil sanctions, but the 
maximum penalty is only $100,000 for violations occurring so frequently as to be 
considered a business practice. For a multi-million dollar company, $100,000 can be 
written off as a business expense. Given the lucrative market for the sale of individ- 
ually identifiable health information, such an expense could be considered a minor 
inconvenience. 

The states possess a more effective enforcement tool than just monetary penalties. 
Insurers and other entities, such as hospitals and providers who hold protected 
health information, are licensed by the state. For repeated violations, the appro- 
priate state agency can revoke the entity’s license to do business in the state. This 
type of penalty forces the entity involved to change its business practices to conform 
to the law. Total preemption of state law could eliminate this enforcement mecha- 
nism. 

Second, we also have concerns regarding the federal government’s ability to con- 
duct day-to-day oversight and enforcement of these laws. Our internal and informal 
surveys have shown that states get very few complaints from individuals about in- 
appropriate disclosures of their protected health information. Consumers generally 
are not aware when a company releases their information. Instead the state agency 
overseeing that entity uncovers the violation. State insurance departments employ 
examiners who conduct on-site reviews of insurance companies’ files. When a viola- 
tion is found, it can be corrected immediately. Unless the federal government is pre- 
pared to duplicate this system, states should not be preempted from enforcing their 
own laws. 

In addition, state insurance departments offer consumers a place to register their 
complaints. Those consumers who believe their rights may have been violated can 
call their state insurance departments and talk with someone about their concerns 
and have their concerns investigated. We do not believe that this degree of inter- 
action and involvement will exist at the federal level. When a consumer believes his 
or her rights may have been violated under the new federal law, who in the federal 
government will that individual call? States already have an enforcement structure 
in place. This is a structure that should be built upon not preempted. 

VI. Conclusion 

Establishing standards to protect the collection, use, and disclosure of health in- 
formation is a very important undertaking. The growth of managed care, the in- 
creasing use of electronic information, and the advances in medical science and com- 
munications technology have dramatically increased both the availability and the 
importance of health information. The efficient exchange of health information will 
save thousands of lives. The information is critical for measuring and analyzing the 
quality and cost effectiveness of the health care provided to consumers. Consumer 
benefits from advances in health information are vast. However, the potential for 
misuse of this information is also vast. The information itself has become a valuable 
product that can be sold for significant amounts of money, and the consequences of 
unauthorized disclosure of health information can be potentially damaging to indi- 
viduals’ lives. The opportunities to exploit available health information will grow in 
number and value as technology and medical science advance. 

As Members of Congress address this critical topic, we would urge you to recog- 
nize the importance of existing state laws addressing the use of health information 
in many contexts. Congress should be aware of the complexity of implementing fed- 
eral standards without inadvertently displacing important provisions of state law. 
We urge Congress not to take a “broad-brush” approach to preemption that would 
unintentionally take away protections at the state level, eliminate states’ ability to 
remedy unintended consequences that result from federal privacy legislation, or pre- 
vent states from responding to future changes in technology or changes in the use 
of health information. The scope of the preemption is a critical issue, and if not care- 
fully constructed it could lead to unintended consequences. We urge you to recognize 
the impact of any privacy legislation on federal and state laws as you debate this 
issue. The members of the NAIC would be happy to work with the Members of Con- 
gress in this area. Thank you. 
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[An attachment is being retained in the Committee files.] 

Statement of Margo P. Goldman, MD, and Peter Kane, MSW, LCSW, BCD, 
National Coalition for Patient Rights, Lexington, MA 

Chairman Thomas and members of the Committee. Thank you for the opportunity 
to submit written testimony on behalf of the National Coalition for Patient Rights 
(National CPR) about protecting the privacy and confidentiality of health informa- 
tion. 

First, we appreciate the Chair’s stated commitment to protecting the confiden- 
tiality and security of our health information. We agree that these principles are 
critical to the delivery of quality health care. A patient knowing that his clinician 
will preserve his privacy and maintain the confidentiality of his medical records is 
the first pillar to constructing a reliable, efficient, and first-rate health care system. 
As stated in National CPR’s recently published White Paper (included as an attach- 
ment), “the primary purpose for collecting personal medical information from a pa- 
tient is for clinical diagnosis and treatment of that patient. Fundamentally, this is 
the reason a patient confides information to a physician or other health care pro- 
vider in the first place.” (P2) Such communication frequently occurs when a patient 
is sick, and therefore, vulnerable. It is done with the expectation originally set forth 
hundreds of years ago in the Hippocratic Oath — that one’s health care provider will 
not disclose what they have learned about the patient unless the patient agrees for 
them to do so. This is the basis of trust in the doctor patient relationship. 

Unfortunately, patients can no longer trust that their most personal information 
will remain private. The state of affairs is in critical condition. First, rapidly ad- 
vancing information technology has created a literal gold mine of medical records. 
And the feeding frenzy is intensif 3 dng. In 1998, CVS and Giant Foods sold prescrip- 
tion data to a Woburn Massachusetts marketing firm in order to promote products. 
Patients learned of this when they received mail solicitations, specific for their med- 
ical conditions. Second, the war against fraud and abuse has led to a virtual assault 
of patients’ privacy. Because HCFA mandated random audits to detect fraud, local 
Medicare carriers were demanding copies of patient records, including psycho- 
therapy notes, as a condition of processing claims. Finally, as health insurers garner 
their efforts to contain costs by managing care, more and more sensitive information 
is demanded and collected. A case in point is the “Erectile Dysfunction Medical Ne- 
cessity Treatment” form that a local health insurer required from all physicians pre- 
scribing medication for impotence. (Copy enclosed) This is but one particularly glar- 
ing example where patients are asked to choose between receiving treatments for 
the most personal of issues and their privacy. 

And citizens are reacting to this: A survey recently conducted by the California 
Healthcare Foundation found 15% of adults said they have done something “out of 
the ordinary” to keep medical information confidential. This includes self-pajdng in- 
stead of using one’s health insurance, avoiding or dela 3 dng needed care, giving inac- 
curate or partial information about medical histories, and asking doctors to not 
write something down in the record. (California HealthCare Foundation, 1999) 

If this trend is allowed to continue, quality health care will be impossible and we 
will all suffer. Physicians and other health care providers will diagnose and treat 
patients based on inaccurate or incomplete data. If patients delay or avoid needed 
care, they will ultimately present for treatment when they are sicker, and less read- 
ily (and more expensively) treated. Doctors will increasingly be forced to rely on 
their memories, rather than the medical record, because of patients’ or their own 
reluctance to record information that may come back to haunt the patient. And sore- 
ly necessary biomedical research will be based on tainted data, unless we can en- 
sure that patients trust the system enough to communicate honestly and openly 
with caregivers. 

National CPR was founded over five years ago in response to this grave health 
care crisis. As an organization whose sole mission has been the patient-centered pro- 
tection of medical privacy and confidentiality, we have developed policy rec- 
ommendations. Congress is quickly approaching the August 21 HIPAA deadline to 
enact legislation; we urge you to use our recommendations (contained in the White 
Paper) as a basis for sound medical privacy policy. The full White Paper is included 
as an attachment to our testimony. The recommendations are as follows: 

Recommendation 1: Medical records should be maintained as confidential and pri- 
vate for the purpose of the clinical benefits of the patient. Disclosure of medical 
records outside the context of clinical care requires the consent of the patient. 

Recommendation 2: The right of patients to determine what information in their 
medical records is shared with other providers and other institutions and agencies 
should be recognized both by law and by institutional policy. Patients who wish not 
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to disclose medical information to other health care providers that may be important 
in their medical care should be counseled about the risks of nondisclosure and sign 
an acknowledgment of their being warned. 

Recommendation 3: Patients should have the legal right to review and copy their 
medical records. Patient access to medical records should be facilitated by providers, 
and charges to patients limited to the cost of copying. Institutions should develop 
clear policies and procedures for patients to correct and amend errors in the medical 
record. Patients should have the right to review the audit trails of who have 
accessed their medical records and for what purposes. 

Recommendation 4: Third party payers of medical services should be required to 
specify in advance the medical information they require to assess claims and man- 
age medical care. Public notice should be made to patients of the kinds of medical 
information that will be requested from their providers. Physician notes should not 
routinely be disclosed to third party payers, and, consistent with the Supreme 
Court’s decision in Jaffe v. Redmond, psychotherapist notes should never be dis- 
closed to third party payers. Patient consent should be required before medical 
records are transferred to or patients are enrolled in disease management programs. 
Disease management programs should be based on sound clinical research and ar- 
ranged through the patient’s own health care provider. 

Recommendation 5: Third party payers should be held accountable to the same 
standards of privacy and confidentiality as are medical care providers. Third party 
payers should be limited in their use of medical records to the terms specified in 
the patient consent to release medical records. No disclosure by third party payers 
to any other party may be made without the written freely given consent of the pa- 
tient, i.e., participation in the health plan or other benefits should not be contingent 
upon patient consent to further disclosures. Patients of third party medical payers 
should have the right to review and copy the medical records held by these organi- 
zations, and to review the logs of whom has had access to their records and for what 
purposes. Third party payers should establish procedures for patients to correct er- 
rors in their medical information. 

Recommendation 6: The psychotherapeutic relationship is of such sensitivity as to 
require special recognition as a domain of absolute privacy. Records and notes of 
psychotherapy sessions should always remain confidential and third parties should 
be prohibited by law from demanding their disclosure for any reason. For reimburse- 
ment purposes, only the minimal amount of information should be disclosed to proc- 
ess claims. 

Recommendation 7: Research involving medical records must either be conducted 
with the freely given informed consent of patients, or with blanket consent which 
delegates to a Medical Records Review Board (MRRB) the authority to waive further 
consent. The MRRB should be constituted by at least a majority of community mem- 
bers (individuals not employed by or otherwise affiliated with the institution) in ad- 
dition to appropriate scientific, medical and allied health personnel and adminis- 
tered by the Medical Records Trustee. MRRB decisions not to grant a waiver of in- 
formed consent should be final. The MRRB should insure that the confidentiality 
of patient information is protected as it passes through a research protocol, that the 
information is not used for other purposes without explicit MRRB approval, and 
that the purposes of research will not be reasonably objectionable to the patient pop- 
ulations involved. 

Recommendation 8: All health services research that relies on personal medical 
information should be reviewed, approved, and overseen by an institutional Medical 
Records Review Board, with the Medical Records Trustee being the main point of 
contact for both patients seeking information about these research/evaluation 
projects, and for those people conducting the research and/or evaluation projects. 

Recommendation 9: Each clinical institution maintaining medical records has the 
responsibility to safeguard their confidentiality by minimizing access to medical 
records to those individuals whose “need to know” is of clinical benefit to the patient 
or is otherwise consented to by the patient. Institutions should employ encryption 
schemes and password protection, and log each access to or modification of the med- 
ical record (e.g., computerized audit trails). Institutions should develop auditing pro- 
grams to ensure that access to and use of medical records is appropriate and take 
appropriate punitive measures when it is not. Patients should have the right to 
limit access to particularly sensitive information. 

Recommendation 10: Each health care institution maintaining medical records or 
medical information should designate a “Medical Records Trustee” responsible for 
promulgating and enforcing institutional confidentiality and privacy policies, and 
ensuring compliance with the law. The Medical Records Trustee shall be the final 
responsible authority for granting any and all access to medical records and infor- 
mation within the institution. The Medical Records Trustee should also be respon- 
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sible for making notification to patients and the general public of the institution’s 
policies for protecting patient privacy and confidentiality of their medical records. 

Recommendation 11: Public health investigations in which an imminent danger 
to the health of individuals or communities is at stake, should be permitted to ac- 
cess private medical records as necessary and as provided for under current law. 
The consent of patients is not necessary, but patients should be notified by their 
providers that their records may be opened to public health authorities. When pro- 
viders make legally mandated disclosures to public health authorities they should 
be required to inform the patient of this requirement at the time the condition is 
discovered. 

Recommendation 12: In general, employers should not have access to clinical med- 
ical records. These records should be segregated from all other personnel-related in- 
formation, and be used only in the benefits determination process (and only where 
the employer is a self-insurer). Employers should be barred from using this informa- 
tion for employment, promotion and other personnel decisions, and provide notifica- 
tion to all employees and prospective employees of what information they collect and 
for what purposes. Employers with access to medical records should be barred from 
disclosing this information to other parties, and should maintain audit trails of who 
has accessed the records and for what purposes, and made available to the employ- 
ees. 

Recommendation 13: Health care institutions maintaining medical records should 
notify the public and patients individually of the offices and functions which have 
access to their medical records. Institutions should also prominently display their 
policies on maintaining confidentiality of medical records. The name, address, and 
phone number of the Medical Records Trustee should be provided to all patients. 

Recommendation 14: Proposals to create systems designed to link private medical 
information or otherwise collate medical record information, such as the Unique Pa- 
tient Identifier or the Master Patient Index, should not be implemented without ex- 
plicit patient informed consent. Patients should always have the freedom to deter- 
mine for themselves what medical information may be collated together and for 
what purposes. 

Recommendation 15: Law enforcement access to medical records should be limited 
to court order. When records are thus obtained, they should contain only the mini- 
mal amount of information necessary to fulfill the purpose for which they were 
sought. Moreover, law enforcement officials should maintain the confidentiality of 
the information they obtain, and should only allow the least number of people access 
as is absolutely necessary. Under no circumstances should personal medical records 
become part of an open court record, where the patients are not parties to the court 
proceeding. In the limited case of health care fraud investigations, anonymous 
records should be used to assess patterns of fraudulent billing, with identified infor- 
mation used only where specific instances of fraud are suspected. 

Recommendation 16: The buying and selling of medical records or information de- 
rived from them, and the use of these records for any marketing purposes, including 
disease management programs, without the freely given informed consent of the pa- 
tient, should be prohibited by law and institutional policy. 

Before we conclude, we will also comment about Federal pre-emption of state and 
common law privacy protection. As noted in the White paper and elsewhere, a num- 
ber of states have passed (or are considering) medical privacy legislation that is 
stronger than some of the Federal proposals. In addition, there exist a host of state 
common law protections and condition-specific statutes (i.e. HIV, mental health, 
substance abuse, etc.) to ensure information privacy. The convenience of inter-state 
information sharing that would be aided by a Federal ceiling of protection does not 
justify trumping individual and states’ rights. Furthermore, “there is no precedent 
federally for pre-empting state statutory and/or common laws for information-based 
industries on this sort of scale.”(White Paper, p7) National CPR recognizes this is 
a complicated issue due to the rapidly changing technologies. Because of this, it is 
critical for states to have legislative flexibility and leeway to search out the best 
methods of safeguarding their own citizens. Finally, the HIPAA mandate for medical 
privacy legislation specified that Federal legislation NOT be preemptive. In keeping 
with Congress’ 1996 requirement for Federal law protecting medical information. 
National CPR strongly urges you to create a Federal floor, not a ceiling, of protec- 
tion. 

Once again, we want to thank Chairman Thomas and the Committee for the op- 
portunity to submit testimony. After over five years of working on medical informa- 
tion privacy, we at National CPR are keenly aware of the complicated nature of the 
issue and the debate. We gladly offer all possible assistance to the Committee and 
your staff as you work through this bill. 
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In conclusion, if Congress fails to enact true, patient-centered medical privacy pro- 
tection, the quality and integrity of our entire health care system will he in danger. 
Ann Cavoukian, the Privacy and Information Commissioner in Canada captured 
this: 

“Confidentiality is to medical records, what sterile procedures are to surgery. Hav- 
ing one without the other is not only undesirable, but potentially bad for your 
health.” (May 1996, Ontario, Canada) 

[Attachments are being retained in the Committee files.] 


National Conference of 

State Legislatures 

July 19, 1999 

The Honorable William M. Thomas 
Chairman, Health Subcommittee 
Committee on Ways and Means 
U.S. House of Representatives 
Washington, DC. 20515 

The Honorable Fortney Stark 
Ranking Member, Health Subcommittee 
Committee on Ways and Means 
U.S. House of Representatives 
Washington, DC. 20515 

Dear Representative Thomas and Representative Stark: 

On behalf on the National Conference of State Legislatures (NCSL), I would like 
to take this opportunity to comment on proposals regarding medical records con- 
fidentiality. 

NCSL firmly believes that states should reflate insurance. We oppose preemp- 
tion of state law, but we understand the desire to establish a minimum standard 
in this area given that health information is transmitted across state and national 
boundaries. We also realize that Congress must enact privacy legislation by August 
21, 1999, as set forth by the Health Insurance Portability and Accountability Act 
of 1996 (HIPAA), and we recognize that all of the current approaches set some type 
of federal standard. Given these factors, we believe that the privacy of health infor- 
mation is one of the few areas where it is appropriate for the federal government 
to set a minimum standard. Federal medical records confidentiality legislation 
should provide every American with a basic set or rights regarding their health in- 
formation. These federal standards, in concert with state law, should be cumulative, 
providing the maximum protection for our citizens. Our mutual goal should be to 
assure that not one individual’s health information is more vulnerable under federal 
law, than it was without it. 


Preemption of State Law 

Federal legislation should establish basic consumer rights and should only pre- 
empt state laws that are less protective than the federal standard. Unfortunately 
many of the proposals pending before Congress take a different approach. 

NCSL is particularly concerned about proposals that would preempt all state laws 
“relating to” medical records privacy. The universe of state laws relating to medical 
records confidentiality is extremely large and is spread across a state’s legal code. 
For example, state laws regarding medical records confidentiality can be found in 
the sections of a state’s code regarding: health, mental health, education, juvenile 
justice, criminal code, civil procedure, family law, labor and emplojunent law. 

While no compendium of state confidentiality laws exists. The Health Privacy 
Project at Georgetown University, part of the Institute for Health Care Research 
and Policy has just completed a summary of major state statutes related to medical 
records privacy. It shows that state law in this area is extensive and at a level of 
detail that is not contemplated in most of the federal proposals. A blanket preemp- 
tion of state law is virtually the same as throwing the baby out with the batb water. 

Should Congress seek to pass federal medical record confidentiality legislation, 
NCSL firmly believes it should: (1) grandfather existing state confidentiality laws; 
(2) narrowly and specifically define the scope of the preemption, preserving issues 
not addressed in the federal proposal for state action; and (3) permit and encourage 
states to enact legislation that provides additional protections. If states are pre- 
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eluded in some general way from taking action in specific areas, there must be a 
mechanism for a state legislature to act if federal legislation adversely impacts the 
citizens in the state. 

Some proposals attempt to address the preemption issue through the inclusion of 
state legislative “carve outs.” This approach attempts to identify all the areas that 
states would be permitted to continue to enact legislation. While well-intended, 
there is no way for states to know the full extent and impact of the preemption and 
carve-outs until the federal law has been implemented. NCSL and the National As- 
sociation of Insurance Commissioners (NAIC) recommend that states be allowed to 
continue to legislate and regulate in any area that is not specifically addressed in 
the federal legislation. Below is language jointly supported by NCSL and NAIC: 

Nothing in this Act shall be construed as preempting, superseding, or repealing, 
explicitly or implicitly, any provision of state law or regulation currently in effect 
or enacted in the future that establishes, implements, or continues in effect, any 
standard or requirement relating to the privacy of protected health information., if 
such laws or regulations provide protections for the rights of individuals to the pri- 
vacy of, and access to, their health information that are at least as protective of the 
privacy of protected health information as those protections provided for under this 
Act. Any state laws or regulations governing the privacy of health information or 
health-related information that are not contemplated by this Act, shall not be pre- 
empted. Federal law shall not occupy the field of privacy protection. The appropriate 
federal authority shall promulgate regulations whereby states can measure their 
laws and regulations against the federal standard. 


Current State Legislative Activity 


Since January 1999, 26 states have enacted laws regarding medical records con- 
fidentiality. Montana enacted comprehensive legislation addressing the activities of 
insurers and North Dakota enacted legislation that established comprehensive pub- 
lic health confidentiality standards. After years of debate, Hawaii enacted a com- 
prehensive law that sets standards for the use and disclosure of both public and pri- 
vate health information. Most states enacted legislation building on existing state 
law or legislation focused on a specific issue. Six laws, addressing a wide variety 
of medical records privacy concerns, were enacted in Virginia during the 1999 legis- 
lative session. Other states that enacted legislation this year are: Arkansas, Colo- 
rado, Connecticut, Georgia, Idaho, Indiana, Iowa, Louisiana, Maine, Mississippi, Ne- 
braska, Nevada, New Mexico, Ohio, Oklahoma, South Carolina, South Dakota, Ten- 
nessee, Texas, Utah, West Virginia and Wyoming. 

Several of these new laws address issues that are not addressed in many of the 
federal proposals. For example, many states have laws establishing strict confiden- 
tiality standards for medical information 

in the possession of employers. These laws would make records from employee as- 
sistance programs (EAP) and workplace drug-testing results, protected health care 
information, subject to strict disclosure and reporting requirements. Several states 
have laws that set limits on how much a health care provider can charge an indi- 
vidual to make copies of their medical records. These laws, designed to help assure 
access, regardless of income, would be preempted under some proposals. These are 
but a few examples that illustrate both the breadth and complexity of the preemp- 
tion issue. 

I thank you for this opportunity to share the perspective of NCSL on this very 
important issue. Enclosed for your information is a copy of the NCSL policy, “Prin- 
ciples for Federal Health Insurance Reform.” I look forward to working with you and 
your colleagues over the next several months to develop a consensus proposal that 
will provide basic medical records privacy protections for all. 

Sincerely, 


Kemp Hannon 
New York Senate 
Chair, NCSL Health Committee 


cc: Representative Bill Archer 
Representative Charles B. Rangel 

Members, House Ways and Means Subcommittee on Health 
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OFFICIAL POLICY 

Insurance Regulation 

• States should regulate insurance and should continue to set and enforce sol- 
vency standards and to provide oversight on insurance matters. 

• Modifications to the Employee Retirement Income Security Act of 1974 (ERISA) 
that would eliminate states^ preemption or strengthen the regulatory authority of 
the states, including consumer access to state remedies, should be adopted. Con- 
versely, NCSL opposes initiatives that would expand the reach of ERISA. 

• Absent changes that would permit states to regulate ERISA plans. Congress 
should impose requirements on ERISA plans that closely track state legislative and 
regulatory initiatives. In addition, federal remedies, that more closely resemble rem- 
edies available at the state level, should be adopted for consumers in ERISA plans. 

• Federal legislation that establishes uniform standards, should establish a floor, 
but not a ceiling. 

• When federal insurance reforms are adopted, the consumer should easily under- 
stand the implementation process and a massive community education effort should 
be an integral part of program implementation. 

• Federal reforms, that require state enforcement, should be funded by the fed- 
eral government. 

• Any federal legislation requiring state action to comply with the law should 
allow a reasonable period of time for state legislatures to adequately debate and 
enact legislation. Where states already have similar legislation in place, a process 
for declaring “substantial compliance” should be developed. 


Medical Records Privacy 


Scope of Law 

• No patient identifiable medical information may be released without written 
and oral informed consent of the patient, unless otherwise exempted. 

• A federal privacy statute should define a range of health care conditions and 
services and protect patient identifiable information, including demographic infor- 
mation, collected during the health care process. 

• A federal privacy statute also should define “information” to include records 
held in whatever form possible — paper, electronic, or otherwise. 

• Strong protections for individuals from the inappropriate disclosure of their 
medical records should be established. 

• Anyone who provides or pays for healthcare or who receives health information 
from a provider, payer, or an individual should be required to conform to the provi- 
sions of the law. 

• Health care providers that do not have direct relationships with the patient 
must also abide by the same standards. 

A payer should not be required to provide a benefit or commence or continue pay- 
ment of a claim in the absence of protected health information, as set forth in each 
state’s statutes, to support or deny the benefit or claim. 

Security 

• Information should not be used or given out unless either the patient authorizes 
it or there is a clear legal basis, under state or federal law, for doing so. 

Consumer Rights 

• Individuals should have the right to: 

• Find out what information is in their medical record; and 

• How the information is used. 

• Practices and procedures must be established that would: 

• Require a written explanation from insurers or health care professionals detail- 
ing who has access to an individual’s information; 

• Require insurers or health care professionals to tell individuals how that infor- 
mation is kept; 

• Inform individuals how they can restrict or limit access to their medical records; 

• Inform individuals how they can authorize disclosures or revoke such authoriza- 
tions; and 

• Inform individuals of their rights should an improper disclosure occur. 

• In general, individuals should be permitted to inspect and copy information 
from their medical record. 
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• Finally, a process should be developed for patients to seek corrections or amend- 
ments to their health information to resolve situations in which coding errors cause 
patients to be charged for procedures they never receive or to be on record as having 
conditions or medical histories that are inaccurate. 

Accountability 

• Severe penalties should be imposed on individuals who knowingly disclose med- 
ical records improperly, or who misrepresent themselves to obtain health informa- 
tion. 

• Civil monetary and/or criminal penalties should be imposed on individuals who 
have a demonstrated pattern or practice of unauthorized disclosure. 

• Any individual whose rights under the federal privacy law have been violated 
should be permitted to bring a legal action for actual damages and equitable relief. 
If the violation was done knowingly, attorney’s fees and punitive damages should 
be available. 

Public Health 

• Under certain limited circumstances, health care professionals, payers, and 
those receiving information from them should be permitted to disclose health infor- 
mation without patient authorization to public health authorities for disease report- 
ing, public health investigation, or intervention, as required by state or federal law. 
Research 

• Research protocols and confidentiality standards should be continued and 
strengthened. 

Law Enforcement 

• Law enforcement representatives should be required to have a court order to 
obtain information from an individual’s medical record. 

Preemption 

• Federal legislation should provide every American with a basic set of rights 
with respect to health information; however, confidentiality protections provided in 
state and federal law should be cumulative, and the federal legislation should pro- 
vide a floor. 

• Federal law should only preempt state laws that are less protective. 

Administrative Simplification 

• Administrative simplification is a key component in efforts to reduce health care 
costs and to improve quality of care. Simplification initiatives should include: 

• the development of uniform claims forms; 

• the establishment and continued refinement of uniform codes; 

• electronic claims processing and billing; and 

• computerized medical records and “smart cards” for medical records and med- 
ical history. 

• Federal and state governments should share information; however, confiden- 
tiality of medical records and information must be protected. 

• Under the provisions of the Health Insurance Portability and Accountability Act 
of 1996, federal law supercedes state law, except when the Secretary determines 
that the state law is necessary: 

• To prevent fraud and abuse, 

• To ensure the appropriate state regulation of insurance or health plans, 

• For addressing controlled substances, or for other purposes. 

NCSL supports a broad interpretation of this provision that would result in lim- 
ited preemption of state laws. 

July 1998 



124 


Kansas City, MO 64111 

22 July 1999 


A.L. Singleton 
Chief of Staff 

Committee on Ways and Means 
U.S. House of Representatives 
1102 Longworth House Office Building 
Washington, DC. 20515 


Dear Mr. Singleton: 


Confidentiality of my patient records is very important to me. Thank you for giv- 
ing me the opportunity to lend my comments to the July 20th hearing on medical 
confidentiality. 

Patients and doctors have a special relationship requiring the divulging of con- 
fidential information that sometimes even the best of friends or family members do 
not share. There must be trust between the doctor and patient to allow for sharing 
what could be damaging information in order to allow timely and appropriate med- 
ical care. 

For the integrity of this relationship and the health care system in general it is 
important that patients have informed voluntary consent prior to the sharing of in- 
formation. The bills before the House and Senate do not protect this right. Rather 
they would create a federal law allowing researchers, government agencies, law en- 
forcement, and managed care organizations to enter my medical records at will. 
They would also limit the right of my state legislators to enact stronger privacy leg- 
islation than Congress enacts. 

As an American, I am entitled to certain rights, including the right of protection 
against unlawful search and seizure by others of my personal property. This in- 
cludes personal information about myself. Also, the Nuremberg Code protects me 
against becoming an unwilling research subject. 

Unconsented access to my medical records will not only violate my Constitutional 
rights as a citizen, it will leave me vulnerable to employment, insurance, and med- 
ical discrimination. I urge you to truly protect my confidentiality by assuring patient 
consent prior to all medical record access. 

Sincerely, 


Elizabeth S. Smock, M.A. 


Statement of Randel K. Johnson, Viee President of Labor and Employee 
Benefits, U.S. Chamber of Commerce 

Mr. Chairman and Members of the Committee, good morning. I am Randel John- 
son, Vice President, Labor and Employee Benefits, U.S. Chamber of Commerce. The 
U.S. Chamber of Commerce is the world’s largest business federation representing 
more than three million businesses and organizations of every size, sector and re- 
gion. 

Mr. Chairman, I have been asked to address the narrow issue of whether or not 
a private cause of action in court should be authorized under the legislation before 
you today, the “Medical Information and Research Enhancement Act of 1999.” We 
believe the only reasonable answer to this question is “no” and the Chamber would 
strongly oppose inclusion of a new individual right to sue in addition to the severe 
civil and criminal penalties already in the legislation. Contrary to the assumptions 
of some, it is not true that a new right to sue must, or should be, created each time 
Congress creates a new substantive legal right or that such a right is necessary for 
effective enforcement. Furthermore, experience would suggest that — given the inher- 
ent negatives associated with court litigation — Congress reserve creation of new pri- 
vate causes of action in court for only those situations where there has been a dem- 
onstrated and well-documented problem with existing enforcement mechanisms. 
This threshold criteria has not been met here. 

It should be emphasized that whatever is enacted will be an important, but com- 
plicated new federal law. Before we subject individuals and organizations to the ex- 
pense and uncertainty of private litigation, we need to allow time for any uncertain- 
ties in the law to be clarified. Hopefully, much of this will be accomplished through 
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administrative regulations that will flesh out the many rights, responsibilities and 
protections in the legislation, a far preferable course than the vagaries, expense and 
inconsistencies of the court system developing policy on a case by case basis. 

Since the question of whether a private cause of action is necessary turns on 
whether or not the existing legislation has adequate provisions to deter violations 
of its provisions, we need to look carefully at what is in the legislation now. I urge 
the Members to refer to the actual text of the legislation in this regard because 
these existing sanctions are actually quite severe. First, let’s review the criminal 
penalties under proposed Section 2801 “Wrongful Disclosure of Protected Health In- 
formation.” Under this section, a “person that knowingly and intentionally” ^ dis- 
closes protected health information shall be fined up to $50,000, imprisoned not 
more than one year or both; and if the offense is committed under “false pretenses,” 
be fined not more than $100,000, imprisoned up to five years or both. And if the 
offense is committed with “the intent to sell, transfer, or use protected health infor- 
mation for monetary gain or malicious harm” the person could be fined up to 
$250,000, and imprisoned not more than 10 years or both. All of these penalties and 
prison sentences could be doubled under certain circumstances. I also note that the 
“person” subject to these sanctions apparently could be anybody employed by, or 
with any connection to, the health information — from a clerical worker on up; hence 
the sweep of these provisions is quite broad. 

Now let’s turn to the civil penalties under new Section 311. Under this section, 
“a person” who the Secretary of Health and Human Services determines has “sub- 
stantially and materially failed to comply with this Act” shall be subject to up to 
$500 for each violation and up to $5,000 for multiple violations arising from failure 
to comply with Title I of the act; and, where a violation relates to Title II, a civil 
penalty of up to $10,000 for each violation, and up to $50,000 in the aggregate for 
multiple violations, may be imposed. A $100,000 penalty is provided for violations 
which constitute a general business practice. This legislation also sets out detailed 
procedures for consideration of penalties under Section 312. The Secretary is em- 
powered to seek injunctive relief. 

To state the obvious, I can assure you that any entity covered by this legislation 
will take these civil and criminal penalties quite seriously, and I have to ask if there 
is anyone in this room today who would view these possible jail terms and monetary 
penalties lightly if they were subject to this law — I doubt it. I would ask you for one 
moment to put yourself in the place of an individual within a business handling 
health care information — of whatever size — and ask yourself that question. 

To help demonstrate the extreme nature of these criminal and civil penalties, it 
might be useful to refer, for the purposes of comparison, to a few employment laws. 
Under the Occupational Safety and Health Act willful or repeat violations can be 
penalized by monetary penalties of between $5,000 and $70,000; a serious violation 
up to $7,000; a non-serious violation up to $7,000, and for failure to correct a viola- 
tion, a civil penalty of not more than $7,000. With regard to criminal penalties, a 
willful violation causing an employee’s death can be punished by a fine of not more 
than $10,000 and imprisonment for not more than 6 months or both, except that 
if the violation is committed after a prior conviction, punishment can be doubled.^ 

The Family and Medical Leave Act and Title VII of the 1964 Civil Rights Act con- 
tain no criminal penalties and only a civil fine of $100 for a willful failure to post 
a notice of FMLA and Title VII rights. The Age Discrimination in Employment Act 
has a criminal penalty of up to $500 or imprisonment of up to 1 year for interfering 
with an EEOC agent. Similarly, the National Labor Relations Act, protecting the 
rights of employees to unionize, provides only for a fine of not more than $5,000 or 
imprisonment for one year for interfering with a Board agent. The Fair Labor 
Standards Act contains fines of not more than $10,000 and imprisonment at up to 
6 months for certain violations. 

As you can see, the proposed civil and criminal penalties of the legislation before 
you are quite severe in comparison to other laws — laws which also protect important 
rights. 

I led my testimony with a discussion on civil and criminal penalties to dispel any 
doubt that this legislation somehow provides an invitation for non-compliance or 
that such penalties are not otherwise adequate to deter violation. Nothing could be 


^We urge the committee to define this concept to encompass only knowing and intentional 
violations of the law in the sense that the individual knew his or her conduct violated the Act 
and intended harm. 

^By operation of the 1984 Comprehensive Crime Control and Criminal Fine Collection Act, 
which standardized penalties and sentences for federal offenses, willful violations of the OSH 
Act resulting in a loss of human life are punishable hy fines up to $250,000 for individuals and 
$500,000 for organizations. 
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further from the truth. In this context, I turn to the question of the need for a pri- 
vate cause of action. 

Contrary to what seems to be a popular conception, many laws rely exclusively 
on government enforcement for protection of important substantive rights, as does 
this legislation. In the labor area alone these include: The Davis Bacon Act (requires 
payment of prevailing wages on government contracts for construction), the Service 
Contract Act (requires payment of prevailing wages on government services con- 
tracts), the Walsh-Healey Act (payment of minimum wages and overtime to employ- 
ees working on government contracts); Executive Order 11246 (prohibits discrimina- 
tion by government contractors); Section 503 of the Rehabilitation Act (prohibits dis- 
crimination by government contractors on the basis of disability), and, perhaps most 
notably, the Occupational Safety and Health Act (protects employee safety and 
health), the Mine Safety and Health Act (protects safety and health of miners), and 
the National Labor Relations Act (protects the rights of employees to engage in con- 
certed activities, including unionization.) ^ 

Of course some labor statutes (in interest of full disclosure) do have a private 
cause of action, typically with remedies keyed to economic damages, such as lost pay 
with — in some instances — a doubling where the violation was willful or without good 
faith. (But let me again emphasize that these laws do not have the severe criminal 
and civil penalties contained in the privacy legislation.) An atypical example is Title 
VII of the 1964 Civil Rights Act, which was amended in 1991 to include non-eco- 
nomic damages (capped at various levels), but only after two years of much conten- 
tious debate encompassing two separate Congresses. 

These changes were based on a long record of experience amassed over some 30 
years, which demonstrated that by the 1990’s changes were needed. Even with this 
lengthy consideration by Congress, the results have not been pretty. Litigation has 
exploded — tripling since 1991 — with discrimination cases constituting almost one of 
every ten cases in federal court, the second highest number after prisoner petitions. 
That only 5% of cases filed with the Equal Employment Opportunity Commission 
are found to have “reasonable cause” and 61% “no reasonable cause,” tells us that 
many of these cases are of questionable validity. I’ve also attached for the Members’ 
reference an article entitled, “Lawsuits Gone Wild,” February 1998, discussing the 
plight of businesses under this surge of litigation. Litigation expenses alone to de- 
fend a case can approach $50,000-$150,000 even before trial. 

Perhaps this isn’t surprising given the nature of civil litigation, but it does em- 
phasize the importance of Congress carefully deliberating before it authorizes indi- 
vidual civil litigation as a remedy. Indeed, the fact that private lawsuits are expen- 
sive, blunt enforcement instruments with enormous transactional costs can hardly 
be argued. While I do not wish to debate tort reform here, it may be worthwhile 
to refer to a few further facts on this issue: 

A Tillinghast-Towers Perrin analysis (Nov. 1995) of the U.S. tort system found 
that when viewed as a method of compensating claimants, the U.S. tort system is 
highly inefficient, returning less than 50 cents on the dollar to the people it is de- 
signed to help — and less than 25 cents on the dollar to compensate for actual eco- 
nomic losses. (Tillinghast-Towers Perrin, “Tort Cost Trends: An International Per- 
spective,” pp. 4, 8) 

The study broke down costs as follows: 


Awards for economic loss 24% 

Administration 24% 

Awards for pain and suffering 22% 
Claimants’ attorney fees 16% 

Defense costs 14% 


Hence, even when non-economic “pain and suffering” awards are included, claim- 
ants ultimately collected only 46% of the money raised, the balance going for the 
high transactional costs of the system. 


3 Other examples include the Paperwork Reduction Act, Section 17(a) of the Securities Ex- 
change Act (see Touche Ross v. Redington, 442 U.S. 560 (1979)), and the Federal Service Labor 
Management Relations Act. 

See study by Lawyers Committee on Civil Rights under Law, Daily Labor Report, March 25, 
1999. The Americans with Disabilities Act includes the same remedies as Title VII although it 
was originally passed and enacted with only equitable relief. The ADA was premised on long- 
standing principles and regulations found under Section 504 of the 1973 Rehabilitation Act. 
Nevertheless, it, like Title VII since amended by the Civil Rights Act of 1991, has resulted in 
considerable litigation, much of it frivolous. See “Helping Employers Comply with the ADA,” Re- 
port of the U.S. Commission on Civil Rights, September 1998, pp. 274—283. 
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These conclusions are consistent with a 1985 RAND study which indicated that 
plaintiffs in tort lawsuits in state and federal courts of general jurisdiction received 
only approximately half of the $29 billion to $36 billion spent in 1985. The cost of 
litigation consumed the other half with about 37% going to attorney’s fees (pp. v- 
xi). A 1988 RAND study of wron^ul discharge cases in California found that “total 
legal fees, including defense billings, sum to over $160,000 per case. The defense 
and plaintiff lawyer fees represent more than half of the money changing hands in 
this litigation.” (pp. viii, 39-40) (The range of jury verdicts were from $7,000 to $8 
million with an average of $646,855. pp. vii, 25-27, excluding defense judgements.) 
(Average award after post-trial settlement and appellate review was still $356,033, 
p. 36) 

A March 1998 study by the Public Policy Institute entitled, “How Lawsuit Lottery 
is Distorting Justice and Costing New Yorkers Billions of Dollars a Year,” applied 
the Tillinghast-Tower’s analysis for New York’s tort liability system and calculated 
that liability expenditures broke out as follows: 

• $6.57 billion in payments to claimants (including $3.1 billion in pain and suf- 
fering awards and only $3.4 billion for actual economic damages). 

• $3.4 billion for administrative overhead. 

• $2 billion for defense costs. 

• And nearly $2.3 billion for plaintiffs’ attorneys. 

The study found: “In sum, more than half of the money extracted from our con- 
sumers, our taxpayers, and our economy by New York’s phenomenally expensive li- 
ability system doesn’t go to its supposed beneficiaries” (p. 26). 

And a May 1995 Hudson Briefing Paper, “The Case for Fundamental Tort Re- 
form” noted that: 

• The U.S. tort system needs to be made far more efficient and our society far 
less litigious and far larger shares of tort payments should go to injured parties 
rather than to lawyers. Currently, more than fifty cents of every dollar paid out of 
the tort system goes to cover attorneys’ fees. 

• Lawyers monopoly of access to the courts allows them to impose a 33.33 to 40 
percent toll charge on all damage recoveries, even in cases in which defendants are 
willing to pay on a rapid no-dispute basis. Contingency fees, the near-uniform 
means of compensating tort claim attorneys, can provide risk free windfall profits 
to lawyers while harming defendants, plaintiffs, and the economy as a whole. 

The real costs of the nation’s tort civil litigation system is enormous® , and the 
broader a civil action is in terms of grounds for liability and damages the more in- 
centive there is for frivolous litigation — as many lawyers and plaintiffs seek to play 
the litigation lottery in front of juries for huge monetary rewards. However, my pri- 
mary point here is that simple logic dictates that a system with such heavy trans- 
actional costs should, by definition, be considered as an option of last resort. 

Of course, I realize that there are those who would argue that a business need 
not fear litigation so long as it obeys the law — so a provision for civil court litigation 
should only trouble truly bad actors and not present a problem to others. The only 
problem with this argument is that it is patently false. The reality of laws in this 
country is that they are invariably complex and, often, simply vague, with the lines 
of compliance uncertain and often changing. The Code of Federal Regulations gov- 
erning the workplace arena alone covers over 4,000 pages of fine print, and hun- 
dreds of court and administrative decisions provide their own gloss of what the law 
is, or is not, on any given day. The Supreme Court handed down three decisions 
on the Americans with Disabilities Act just a month ago and two on what con- 
stitutes sexual harassment under Title VII and one on the Age Discrimination in 
Employment Act in the last session. Eleven Circuit Courts of Appeal render their 
own versions of the law. One treatise on discrimination law stretches over two vol- 
umes and two thousand pages of analysis with more footnotes, as does another on 
the National Labor Relations Act. And these are not atypical examples of one area 
of the law. Even enforcement agencies, with all their expertise, cannot give clear 
answers as to what is or is not required. (See “Workplace Regulation — Information 
on Selected Employer and Union Practices,” GAO Report #94-138) 

All of these problems are magnified when it comes to a new law, such as that be- 
fore you today, which will, no matter how well drafted, be subject to much interpreta- 
tion. Many times there will not be right or wrong answer and that problem will be 
heightened if courts across the country, likely combined with jury trials, are imme- 


®For other overviews of expenses associated with court litigation, see, generally. The Illinois 
Tort Reform Act: Illinois’ Landmark Tort Reform: The Sponsor’s Explanation, 27 Loy. University 
of Chicago L. J. 805, Summer 1996. Also see Symposium: Municipal Liability: The Impact of 
Litigation on Municipalities: Total Cost, Driving Factors, and Cost Containment Mechanisms; 
44 Syracuse Law Review 833, 1993. 
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diately faced with cases to sort out every nuance — which may very well differ from 
jurisdiction to jurisdiction — while the employer is faced with both uncertain require- 
ments and liability. 

In closing, our opposition to inclusion of a private right of action is premised on 
the straightforward notions that (1) the civil and criminal penalties now in the legis- 
lation are quite severe and provide more than adequate deterrence, (2) many laws 
are adequately enforced without private causes of actions, and (3) law suits are a 
rough, blunt and expensive instrument of justice with many negative attributes 
which should only be used where there is a clear track record demonstrating that 
the law in question currently has inadequate enforcement mechanisms — a record 
which certainly does not exist here. Should the Congress find that, after passage 
of this legislation and a period of enforcement, the business community is ignoring 
its responsibilities, it can always revisit the issue and authorize new enforcement 
mechanisms. 

Thank you. 

[Attachments are being retained in Committee files.] 
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